IBM8B40575C465B12E07D9CDF9C346E376F8ECDEC1EE992E42DAC12C9840AABDDB0Security Bulletin: This Power System update is being released to address CVE 2023-30440
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H
EPSS
Percentile
17.7%
Summary
A vulnerability was identified internally by IBM related to SRIOV virtual function support in PowerVM. An attacker with privileged user access to a logical partition that has an assigned SRIOV virtual function (VF) may be able to create a Denial of Service of the VF assigned to other logical partitions on the same physical server and/or undetected arbitrary data corruption.
Vulnerability Details
CVEID:CVE-2023-30440
**DESCRIPTION:**IBM PowerVM Hypervisor could allow a local attacker with control a partition that has been assigned SRIOV virtual function (VF) to cause a denial of service to a peer partition or arbitrary data corruption.
CVSS Base score: 6.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253175 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| PowerVM Hypervisor | FW860.00 - FW860.B1 |
| PowerVM Hypervisor | FW950.00 - FW950.70 |
| PowerVM Hypervisor | FW1010.00 - FW1010.50 |
| PowerVM Hypervisor | FW1020.00 - FW1020.30 |
| PowerVM Hypervisor | FW1030.00 - FW1030.10 |
For Power8 servers, only a FW860 fix is being released but all firmware releases on the listed products are vulnerable.
For Power9 servers, only FW950 is supported but all firmware releases on the listed products are vulnerable.
Remediation/Fixes
Customers with the products below should install FW860.B3(860_245) or newer to remediate this vulnerability.
Power 8
-
IBM Power System S812 (8284-21A)
-
IBM Power System S822 (8284-22A)
-
IBM Power System S814 (8286-41A)
-
IBM Power System S824 (8286-42A)
-
IBM Power System S812L( 8247-21L)
-
IBM Power System S822L (8247-22L)
-
IBM Power System S824L (8247-42L)
-
IBM Power System E850 (8408-E8E)
-
IBM Power System E850C (8408-44E)
-
IBM Power System E870 (9119-MME)
-
IBM Power System E880 (9119-MHE)
-
IBM Power System E870C (9080-MME)
-
IBM Power System E880C (9080-MHE)
Customers with the products below should install FW950.71(950_124) or newer to remediate this vulnerability.
Power 9
-
IBM Power System L922 (9008-22L)
-
IBM Power System S922 (9009-22A, 9009-22G)
-
IBM Power System H922 (9223-22H, 9223-22S)
-
IBM Power System S914 (9009-41A, 9009-41G)
-
IBM Power System S924 (9009-42A, 9009-42G)
-
IBM Power System H924 (9223-42H, 9223-42S)
-
IBM Power System E950 (9040-MR9)
-
IBM Power System E980 (9080-M9S)
Customers with the products below should install FW1010.51(1010_159), FW1030.11(1030_052) or newer to remediate this vulnerability.
Power 10
- IBM Power System E1080 (9080-HEX)
Customers with the products below should install FW1020.31(1020_102), FW1030.11(1030_058) or newer to remediate this vulnerability.
Power 10
-
IBM Power System S1022 (9105-22A)
-
IBM Power System S1024 (9105-42A)
-
IBM Power System S1022s (9105-22B)
-
IBM Power System S1014 (9105-41B)
-
IBM Power System L1022 (9786-22H)
-
IBM Power System L1024 (9786-42H)
-
IBM Power System E1050 (9043-MRX)
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | for_power8_servers\,_only_a_fw860_fix_is_being_released_but | any | cpe:2.3:a:ibm:for_power8_servers\,_only_a_fw860_fix_is_being_released_but:any:*:*:*:*:*:*:* |
| ibm | power9_system_firmware | any | cpe:2.3:o:ibm:power9_system_firmware:any:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H
EPSS
Percentile
17.7%