Lucene search

K
ibmIBM8BB05FC3853622B0C3831C7A52BEB617D5DBEE58027EBB3AEE43E6DD9C3BD04E
HistoryMar 04, 2019 - 5:55 a.m.

Security Bulletin: A vulnerability in Ruby affects PowerKVM

2019-03-0405:55:02
www.ibm.com
42
powerkvm
ruby vulnerability
ibm
update
illegitimate certificate
fix central

EPSS

0.009

Percentile

82.8%

Summary

PowerKVM is affected by a vulnerability in Ruby. IBM has now addressed this vulnerability.

Vulnerability Details

CVEID: CVE-2018-16395 DESCRIPTION: Ruby could allow a remote attacker to bypass security restrictions, caused by a flaw when comparing two OpenSSL::X509::Name objects using == in the OpenSSL library. By sending specially-crafted arguments, an attacker could exploit this vulnerability to to create an illegitimate certificate that may be accepted as legitimate.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153077&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using “yum update”.

Fix images are made available via Fix Central. For version 3.1, see https://ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 17.

Workarounds and Mitigations

none