IBM5F24C65D73B479E130777D125984FE83A3E823F357DE6B8D6120F66CAD0A466DSecurity Bulletin: This Power System update is being released to address CVE 2021-39296
0.003 Low
EPSS
Percentile
70.5%
Summary
POWER9: In response to a security issue with BMC’s IPMI LAN+ interface, a new Power System firmware update is being released to address Common Vulnerabilities and Exposures issue number CVE 2021-39296.
Vulnerability Details
CVEID:CVE-2021-39296
**DESCRIPTION:**OpenBMC could allow a remote attacker to bypass security restrictions, caused by improper authentication validation by the netipmid (IPMI lan+) interface. By sending specially-crafted IPMI messages, an attacker could exploit this vulnerability to bypass authentication and gain full control of the system.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208988 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| 8335-GTC | OP910 |
| 8335-GTG | OP910 |
| 8335-GTH | OP920, OP930, OP940 |
| 8335-GTW | OP910 |
| 8335-GTX | OP940 |
| 9183-22X | OP940 |
| 7063-CR2 | OP940 |
Remediation/Fixes
Customers with the products below running OP910, install OP910.51
- IBM Power System AC922 (8335-GTG)
Customers with the products below running OP910, install OP910.52.C
- IBM Power System AC922 (8335-GTC, 8335-GTW)
Customers with the products below running OP920, OP930 or OP940, install OP940.22
- IBM Power System AC922 (8335-GTH, 8335-GTX)
Customers with the products below running OP940, install OP940.22
- IBM Power System IC922 (9183-22X)
Customers with the products below running OP940, install OP940.11
- IBM Power Hardware Management Console System Firmware (7063-CR2)
Workarounds and Mitigations
Keep the management network separate from the public network.
| CPE | Name | Operator | Version |
|---|---|---|---|
| power 9 ac922 | eq | 910 | |
| power 9 ac922 | eq | 940 |
Related
0.003 Low
EPSS
Percentile
70.5%