IBMFE643C5E53E0FBF38EEF788AF49DA062DCF628EB606A68DD13F4560C0E90A9C7Security Bulletin: Vulnerabilities in NTP Affect Power Hardware Management Console (CVE-2014-9297, CVE-2014-9298)
Summary
NTP is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2014-9297**
DESCRIPTION:** Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to conduct spoofing attacks, caused by insufficient entropy in PRNG. An attacker could exploit this vulnerability to spoof the IPv6 address ::1 to bypass ACLs and launch further attacks on the system.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100004> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-9298**
DESCRIPTION:** Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to obtain sensitive information, caused by the improper validation of the length value in extension field pointers. An attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100005> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
Power HMC V8.1.0.0
Power HMC V8.2.0.0
Power HMC V8.3.0.0
Remediation/Fixes
The following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/>
Product
|
VRMF
|
APAR
|
Remediation/Fix
—|—|—|—
Power HMC
|
V8.8.1.0 SP2
|
MB03938
|
Apply eFix MH01550
Power HMC
|
V8.8.2.0 SP2
|
MB03873
|
Apply Service Pack 2 MH01488
Power HMC
|
V8.8.3.0
|
MB03939
|
Apply eFix MH01551
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| power system hardware management console physical appliance | eq | any |
Related
