IBMD570A5B24F225364C9CACA8788996EC748C8E0DF9DE79C9B15E397389C9761C7Security Bulletin: Multiple vulnerabilities in mariadb affect PowerKVM
8.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:N/I:N/A:C
Summary
PowerKVM is affected by several vulnerabilities in mariadb. These vulnerabilities are now fixed.
Vulnerability Details
CVEID: CVE-2016-0640**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: DML component has no confidentiality impact, partial integrity impact, and partial availability impact.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112472 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CVEID: CVE-2016-0641**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: MyISAM component has partial confidentiality impact, no integrity impact, and partial availability impact.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112473 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:P)
CVEID: CVE-2016-0643**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: DML component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112475 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVEID: CVE-2016-0644**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: DDL component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112476 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CVEID: CVE-2016-0646**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: DML component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112477 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CVEID: CVE-2016-0647**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: FTS component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112478 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CVEID: CVE-2016-0648**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: PS component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112479 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CVEID: CVE-2016-0649**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: PS component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112480 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CVEID: CVE-2016-0650**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: Replication component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112481 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CVEID: CVE-2016-0666**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: Security: Privileges component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112495 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CVEID: CVE-2016-3452**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: Security: Encryption component could allow a remote attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115321 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-3477**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: Parser component has high confidentiality impact, high integrity impact, and high availability impact.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115301 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2016-3521**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: Types component could allow a remote attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115307 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-3615**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: DML component could allow a remote attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115309 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-5440**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: RBR component could allow a remote attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115316 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-5444**
DESCRIPTION:** An unspecified vulnerability in Oracle MySQL Server related to the Server: Connection component could allow a remote attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115320 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
PowerKVM v2.1 and v3.1
Remediation/Fixes
Customers can update PowerKVM systems by using “yum update”.
Fix images are made available via Fix Central. For version 3.1, see https://ibm.biz/BdHggw_ _for 3.1.0.2 update 1 or later.
For version 2.1, see PowerKVM 2.1.1.3-65. Update 11 at https://ibm.biz/BdEnT8_ _ or later. Customers running v2.1 are, in any case, encouraged to upgrade to v3.1.
For v2.1 systems currently running fix levels of PowerKVM prior to 2.1.1, please see <http://download4.boulder.ibm.com/sar/CMA/OSA/05e4c/0/README> for prerequisite fixes and instructions.
Workarounds and Mitigations
None
Related
8.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:N/I:N/A:C