Security Bulletin: Vulnerabilities in Python affect PowerKVM (CVE-2013-5123, CVE-2014-8991)

Summary

PowerKVM is affected by two vulnerabilities in Python. These vulnerabilities are now fixed.

Vulnerability Details

CVEID: CVE-2013-5123**
DESCRIPTION:** Python pip could allow a remote attacker to bypass security restrictions, caused by the implementation of the mirroring support without authentication checks. An attacker could exploit this vulnerability to download software over insecure links.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106420 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2014-8991**
DESCRIPTION:** Python pip is vulnerable to a denial of service, caused by a predictable build directory. A local attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/98862 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

PowerKVM 2.1

Remediation/Fixes

Fix is made available via Fix Central (https://ibm.biz/BdEnT8) in 2.1.1 Build 65.1 and all later 2.1.1 SP3 service builds and 2.1.1 fix packs. For systems currently running fix levels of PowerKVM prior to 2.1.1, please see <http://download4.boulder.ibm.com/sar/CMA/OSA/05e4c/0/README&gt; for prerequisite fixes and instructions. Customers can also update from 2.1.1 (GA and later levels) by using “yum update”.

Workarounds and Mitigations

None