Lucene search

K
ibmIBMA232330E36224F12F2011E3AFD54DB2570E9BDD3A37BF52256F7BFFD883F2C47
HistoryOct 18, 2019 - 4:00 a.m.

Security Bulletin: Vulnerabilities in Intel CPUs affect IBM Integrated Analytics System

2019-10-1804:00:14
www.ibm.com
12

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

4.7 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N

Summary

Potential security vulnerabilities in CPUs may allow information disclosure. Intel released Microcode Updates (MCU) updates to mitigate this potential vulnerability. IBM Integrated Analytics System has addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2019-11091 DESCRIPTION: Intel Microprocessor could allow a local authenticated attacker to obtain sensitive information, caused by a Microarchitectural Data Sampling Uncacheable Memory (MDSUM) vulnerability that allows uncacheable memory on some microprocessors utilizing speculative execution. An attacker could exploit this vulnerability using a side-channel attack to obtain data that is being processed in the CPU by other apps. Note: This is called the Zombieload attack.
CVSS Base Score: 3.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160993&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

CVEID: CVE-2018-12130 DESCRIPTION: Intel Microprocessor could allow a local authenticated attacker to obtain sensitive information, caused by a Microarchitectural Data Sampling (MDS) vulnerability that fills buffers on some microprocessors utilizing speculative execution. An attacker could exploit this vulnerability using a side-channel attack to obtain data that is being processed in the CPU by other apps. Note: This is called the Zombieload attack.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160992&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-12127 DESCRIPTION: Intel Microprocessor could allow a local authenticated attacker to obtain sensitive information, caused by a Microarchitectural Data Sampling (MDS) vulnerability that fills buffers on some microprocessors utilizing speculative execution. An attacker could exploit this vulnerability using a side-channel attack to obtain data that is being processed in the CPU by other apps. Note: This is called the Zombieload attack.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160991&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-12126 DESCRIPTION: Intel Microprocessor could allow a local authenticated attacker to obtain sensitive information, caused by a Microarchitectural Data Sampling (MDS) vulnerability that stores buffers on some microprocessors utilizing speculative execution. An attacker could exploit this vulnerability using a side-channel attack to obtain data that is being processed in the CPU by other apps. Note: This is called the Zombieload attack.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160990&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

  • IBM Integrated Analytics System 1.0.0 - 1.0.17.0

Remediation/Fixes

Update to the following IBM Integrated Analytics System release :

Product VRMF Remediation / First Fix
IBM Integrated Analytics System 1.0.18.0 Link to Fix Central

CPENameOperatorVersion
ibm integrated analytics systemeqany

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

4.7 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N