Lucene search

K
ibmIBM986397108BDF9A5D496F37FDF2F1727D055F8CEDEB4D95988F5DC73BFCCD80ED
HistoryJul 19, 2020 - 12:49 a.m.

Security Bulletin: OpenStack vulnerabilities affect IBM SmartCloud Entry(CVE-2015-7548, CVE-2015-8749 CVE-2015-1850)

2020-07-1900:49:12
www.ibm.com
5

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

Summary

IBM SmartClound Entry is vulnerable to several Openstack Nova vulerabilities, which could allow a local authenticated attacker or a remote attacker to obtain sensitive information

Vulnerability Details

CVEID: CVE-2015-8749**
DESCRIPTION:** OpenStack Nova could allow a remote attacker to obtain sensitive information, caused by a Xen connection password leak when attempting to connect a volume using the Xen API. An attacker with access to logs could exploit this vulnerability using StorageError to obtain the password and other sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109585 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2015-7548**
DESCRIPTION:** OpenStack Nova could allow a local authenticated attacker to obtain sensitive information, caused by an error in instance snapshot. By overwriting the disk inside an instance using a malformed image and requesting a snapshot, an attacker could exploit this vulnerability to read arbitrary files from the host.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109474 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2015-1850**
DESCRIPTION:** OpenStack Nova could allow a local attacker to obtain sensitive information, caused by the failure to provide input format to several calls of “qemu-img convert”. By overwriting an image convert using a qcow2 backing file, an attacker could exploit this vulnerability to read arbitrary files from the host.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103849 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:N/A:N)

Affected Products and Versions

IBM SmartCloud Entry 3.2 through Appliance fix pack 20
IBM SmartCloud Entry 3.1 through Appliance fix pack 20

Remediation/Fixes

Product VRMF APAR Remediation/First Fix
IBM SmartCloud Entry 3.1 None IBM SmartCloud Entry 3.1 Appliance fix pack 21:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.1.0.4-IBM-SCE_APPL-FP21&source=SAR&function=fixId&parent=ibm/Other%20software
IBM SmartCloud Entry| 3.2| None| IBM SmartCloud Entry 3.2 Appliance fix pack 21:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.2.0.4-IBM-SCE_APPL-FP21&source=SAR&function=fixId&parent=ibm/Other%20software

Workarounds and Mitigations

None

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

Related for 986397108BDF9A5D496F37FDF2F1727D055F8CEDEB4D95988F5DC73BFCCD80ED