IBM8F77FDF00B6700E1723EC42823088330248ACB5E34DAE4A31386710C9452E8C9Security Bulletin: Vulnerabilities in libXfont affect PowerKVM (CVE-2015-1802, CVE-2015-1803, CVE-2015-1804)
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
Summary
PowerKVM is affected by three vulnerabilities in libXfont. These vulnerabilities are now fixed.
Vulnerability Details
CVEID: CVE-2015-1802**
DESCRIPTION:** X.Org libXfont could allow a local attacker to gain elevated privileges on the system, caused by an error in bdfReadProperties() in the property count when parsing malicious files. An attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.
CVSS Base Score: 7.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101608 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-1803**
DESCRIPTION:** X.Org libXfont is vulnerable to a denial of service, caused by an invalid pointer in bdfReadCharacters() when parsing malicious files. A local attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101609 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2015-1804**
DESCRIPTION:** X.Org libXfont could allow a local attacker to gain elevated privileges on the system, caused by an error in bdfReadCharacters() when parsing malicious files. An attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.
CVSS Base Score: 7.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101610 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central (https://ibm.biz/BdEnT8) in 2.1.1 Build 65.1 and all later 2.1.1 SP3 service builds and 2.1.1 fix packs. For systems currently running fix levels of PowerKVM prior to 2.1.1, please see <http://download4.boulder.ibm.com/sar/CMA/OSA/05e4c/0/README> for prerequisite fixes and instructions. Customers can also update from 2.1.1 (GA and later levels) by using “yum update”.
Workarounds and Mitigations
None
Related
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C