Lucene search

IBMD379B810B9B65623CCB5F5B23C930A7E47E9DD70274642341F6DEF112FF6A92F

HistoryApr 16, 2024 - 5:05 p.m.

Security Bulletin: Vulnerabilities in libxml2 library (CVE-2023-28484, CVE-2023-29469) affect Power HMC.

2024-04-1617:05:35

www.ibm.com

libxml2

vulnerabilities

denial of service

power hmc

ibm fix central

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

41.1%

JSON

Summary

The libxml2 library is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2023-28484
**DESCRIPTION:**GNOME libxml2 is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the xmlSchemaFixupComplexType function. By persuading a victim to open a specially crafted XML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253138 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-29469
**DESCRIPTION:**GNOME libxml2 is vulnerable to a denial of service, caused by a double free flaw in the xmlDictComputeFastKey function due to hashing empty strings are not null-terminated. By persuading a victim to open a specially crafted XML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253143 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
HMC V10.1.1010.0	V10.1.1010.0
HMC V10.2.1030.0	V10.2.1030.0
HMC V10.3.1050.0	V10.3.1050.0

Remediation/Fixes

The following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/>

Product

VRMF

APAR

Remediation/Fix

—|—|—|—

Power HMC

V10.1.1020.0 SP3 x86

MB04446

MF71681

Power HMC

V10.1.1020.0 SP3 ppc

MB04447

MF71682

Power HMC

V10.2.1040.0 SP2 x86

MB04448

MF71683

Power HMC

V10.2.1040.0 SP2 ppc

MB04449

MF71684

Power HMC

V10.3.1050.0 SP1 x86

MB04450

MF71685

Power HMC

V10.3.1050.0 SP1 ppc

MB04451

MF71686

Workarounds and Mitigations

None

CPENameOperatorVersion
hardware management console v10eqany

CPE	Name	Operator	Version
	hardware management console v10	eq	any

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

41.1%

JSON

Related for D379B810B9B65623CCB5F5B23C930A7E47E9DD70274642341F6DEF112FF6A92F