IBM7CD16492F6B0AE2BDD52B4B09B1DD7ACDD536B78903B9B545E6794CA7D669667Security Bulletin: A security vulnerability has been identified in Red Hat® Enterprise Linux (RHEL) Server shipped with PurePower Integrated Manager (PPIM)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Summary
RHEL Server is shipped as a component of PPIM. Information about a security vulnerability affecting RHEL Server has been published in a Red Hat errata.
Vulnerability Details
CVEID:CVE-2018-16839
**DESCRIPTION:**Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152298 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2018-16842
**DESCRIPTION:**Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152300 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID:CVE-2018-16840
**DESCRIPTION:**A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an ‘easy’ handle in the Curl_close() function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152299 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
Principal Product and Version(s)
| Affected product remediation
—|—
- PurePower Integrated Manager Appliance 1.1.0, 1.1.0.1, 1.1.0.2, 1.2.0, 1.2.0.1, 1.2.0.2, 1.2.0.3, 1.2.0.4
-
- PurePower Integrated Manager Service Appliance 1.1.0, 1.1.0.1, 1.1.0.2, 1.2.0, 1.2.0.1, 1.2.0.2, 1.2.0.3, 1.2.0.4
-
- PurePower Integrated Manager Power VC Appliance 1.1.0, 1.1.0.1, 1.1.0.2, 1.2.0, 1.2.0.1, 1.2.0.2, 1.2.0.3, 1.2.0.4
-
- PurePower Integrated Manager KVM Host 1.1.0 , 1.1.0.1, 1.1.0.2, 1.2.0, 1.2.0.1, 1.2.0.2, 1.2.0.3, 1.2.0.4
| Red Hat RHEL Server (v.7) errata:RHSA-2019:2181
- PurePower Integrated Manager KVM Host 1.1.0 , 1.1.0.1, 1.1.0.2, 1.2.0, 1.2.0.1, 1.2.0.2, 1.2.0.3, 1.2.0.4
Remediation/Fixes
Follow the instructions in the Red Hat errata listed above for Red Hat Enterprise Linux Server.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm purepower | eq | any |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P