PowerKVM is affected by vulnerabilities in postgresql. IBM has now addressed this vulnerability.
CVEID: CVE-2016-5423**
DESCRIPTION:** PostgreSQL is vulnerable to a denial of service. By sending specially crafted SQL statements containing CASE/WHEN commands, a remote authenticated attacker could exploit this vulnerability to cause the target server to crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116082 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-5424**
DESCRIPTION:** PostgreSQL could allow a remote authenticated attacker to gain elevated privileges on the system, caused by the improper handling of database and role names containing newlines, carriage returns, double quotes, or backslashes. By running certain maintenance programs, an attacker could grant the user superuser privileges.
CVSS Base Score: 8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116075 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
PowerKVM 3.1 only
Customers can update PowerKVM systems by using “yum update”.
Fix images are made available via Fix Central. For version 3.1, see https://ibm.biz/BdHggw. This issue is addressed as of 3.1.0.2 update 4 or later.
None