8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
PowerKVM is affected by vulnerabilities in icoutils. IBM has now addressed these vulnerabilities.
CVEID: CVE-2017-5208**
DESCRIPTION:** icoutils could allow a local attacker to execute arbitrary code on the system, caused by an integer overflow in the wrestool program. By creating a specially crafted executable and reading it via wrestool, an attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125733 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L)
CVEID: CVE-2017-5332**
DESCRIPTION:** icoutils is vulnerable to a denial of service, caused by an error in extract.c. By parsing a specially crafted file using wrestool, a local attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 2.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125734 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-5333**
DESCRIPTION:** icoutils could allow a local attacker to execute arbitrary code on the system, caused by an integer overflow in extract.c within the wrestool program. By creating a specially crafted executable and reading it via wrestool, an attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125735 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L)
CVEID: CVE-2017-6009**
DESCRIPTION:** icoutils is vulnerable to a buffer overflow, caused by an error in the decode_ne_resource_id function in the restable.c. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122147 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2017-6010**
DESCRIPTION:** icoutils is vulnerable to a denial of service, caused by a buffer overflow flaw in the extract_icons function in extract.c. By persuading a victim to open a specially-crafted ico file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122146 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-6011**
DESCRIPTION:** Artifex Software MuJS is vulnerable to a buffer overflow, caused by an out-of-bounds read issue by the simple_vec function in extract.c. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122145 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
PowerKVM 2.1 and 3.1
Customers can update PowerKVM systems by using “yum update”.
Fix images are made available via Fix Central. For version 3.1, see https://ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 8.
For version 2.1, see https://ibm.biz/BdEnT8. This issue is addressed starting with PowerKVM 2.1.1.3-65 update 17. Customers running v2.1 are, in any case, encouraged to upgrade to v3.1.
For v2.1 systems currently running fix levels of PowerKVM prior to 2.1.1, please see <http://download4.boulder.ibm.com/sar/CMA/OSA/05e4c/0/README> for prerequisite fixes and instructions.
none
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P