IBM58E66AC45C021727D779F3654F013DD203E99A0AA704F18EF45512AFD58D339ASecurity Bulletin: OpenStack Nova vulnerabilities affect IBM Cloud Manager with OpenStack (CVE-2016-2140)
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
Summary
IBM Cloud Manager with Openstack is vulnerable to a OpenStack Nova vulnerablities. An attacker could exploit this vulnerability to obtain sensitive information by a host data leak in resize/migration.
Vulnerability Details
CVEID: CVE-2016-2140**
DESCRIPTION:** OpenStack Nova could allow a remote authenticated attacker to obtain sensitive information, caused by a host data leak in resize/migration. By overwriting a root disk with a malicious image, an attacker could exploit this vulnerability to read arbitrary files from the compute host and obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111366 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
IBM Cloud Manager with OpenStack 4.3.0 through 4.3.0.6
IBM Cloud Manager with OpenStack 4.2.0 through 4.2.0.3
IBM Cloud Manager with OpenStack 4.1.0 through 4.1.0.5
Remediation/Fixes
Product
| VRMF| APAR| Remediation/First Fix
—|—|—|—
IBM Cloud Manager with OpenStack| 4.3.0| None| IBM Cloud Manager with Openstack 4.3 interim fix 3 for fix pack 6:
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Cloud+Manager+with+Openstack&release=4.3.0.6&platform=All&function=fixId&fixids=+4.3.0.6-IBM-CMWO-IF003+&includeSupersedes=0
IBM Cloud Manager with OpenStack| 4.2.0| None| IBM Cloud Manager with Openstack 4.2 interim fix 8 for fix pack 3:
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Cloud+Manager+with+Openstack&release=4.2.0.3&platform=All&function=fixId&fixids=+4.2.0.3-IBM-CMWO-IF008+&includeSupersedes=0
IBM Cloud Manager with OpenStack| 4.1.0| None| IBM Cloud Manager with Openstack 4.1 interim fix 4 for fix pack 5:
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Cloud+Manager+with+Openstack&release=4.1.0.5&platform=All&function=fixId&fixids=+4.1.0.5-IBM-CMWO-IF004+&includeSupersedes=0
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud manager with openstack | eq | 4.1.0 | |
| ibm cloud manager with openstack | eq | 4.2.0 | |
| ibm cloud manager with openstack | eq | 4.3.0 |
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N