Security Bulletin: Pillow versions have a Denial of Service vulnerability due to uncontrolled memory allocation in ImageFont's

Summary An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance...

Security Bulletin: Information disclosure in persistent watchers handling

Summary Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher addWatch command to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check...

Security Bulletin: CVE-2023-6378

Summary A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. Vulnerability Details CVEID:CVE-2023-6378 DESCRIPTION: QOS.ch Sarl Logback is vulnerable to a denial of service, caus...

Security Bulletin: CVE-2023-6481

Summary A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. Vulnerability Details CVEID:CVE-2023-6481 DESCRIPTION: QOS.ch Sarl Logback is vulnerable to a deni...

Security Bulletin: CVE-2022-27452

Summary MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/itemcmpfunc.cc, which is backported and fixed in 10.5.16 Vulnerability Details CVEID:CVE-2022-27452 DESCRIPTION: MariaDB Server is vulnerable to a denial of service, caused by a flaw in the...

Security Bulletin: PowerVC installation on RHEL is vulnerable to MariaDB with CVE-2021-46669, CVE-2022-24048, MariaDB - 219814, MariaDB - 219815, CVE-2022-24050, CVE-2022-24052

Summary Summary guidance: MariaDB through 10.5.9 allows attackers to trigger a convertconsttoint use-after-free when the BIGINT data type is used and it is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the processing of SQL queries. The specific flaw exists...

Security Bulletin: PowerVC installation on RHEL is vulnerable to MariaDB with CVE-2021-27928

Summary Summary guidance: A remote code execution issue was discovered in MariaDB in the version PowerVC ships. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrepprovider and wsrepnotifycmd. Vulnerability Details CVEID:...

Security Bulletin: Openstack Compute (Neutron) noVNC proxy

Summary Fix OpenStack Neutron allowing a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the noVNC component. By modifying untrusted URL input using multiple backslashes, an attacker could exploit this vulnerability to redirect a victim to arbitrary websit...

Security Bulletin: Openstack Compute (Nova) noVNC proxy

Summary Fix OpenStack Nova allowing a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the noVNC component. By modifying untrusted URL input using multiple backslashes, an attacker could exploit this vulnerability to redirect a victim to arbitrary website...

Security Bulletin: PowerVC is impacted by an Openstack Nova vulnerability which could leak consoleauth tokens into log files (CVE-2015-9543)

Summary An issue discovered in Openstack Nova can leak consoleauth tokens into log files which can be used by an attacker with access to service's log files to gain additional access in to the Openstack based deployment. Vulnerability Details CVEID: CVE-2015-9543 DESCRIPTION: OpenStack Nova could...

Security Bulletin: PowerVC is impacted by information leakage from nova APIs during external exception (CVE-2019-14433)

Summary If an API request from an authenticated user ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response and could include sensitive configuration or other data. Vulnerability Details CVEID: CVE-2019-14433 DESCRIPTION:...

Security Bulletin: PowerVC is impacted by an XSS vulnerability discovered in noVNC (CVE-2017-18635)

Summary An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name. Vulnerability Details CVEID: CVE-2017-18635 DESCRIPTION: noVNC is...

Security Bulletin: PowerVC is impacted by an OpenStack Neutron vulnerability related to security group rules (CVE-2019-10876)

Summary OpenStack Neutron is vulnerable to a denial of service, caused by a flaw in the neutron-openvswitch-agent. By creating two security groups with separate/overlapping port ranges, a remote authenticated attacker could exploit this vulnerability to prevent Neutron from being able to configur...

Security Bulletin: PowerVC is impacted by an OpenStack Neutron denial of service vulnerability (CVE-2018-14635)

Summary Openstack Neutron is vulnerable to a denial of service, caused by improper validation of user-supplied input. By using specially-crafted content, a remote authenticated attacker could exploit this vulnerability to cause the application to crash. Vulnerability Details CVEID: CVE-2018-14635...

Security Bulletin: PowerVC is affected by an Openstack Keystone vulnerability that could allow a remote authenticated attacker to discover restricted projects (CVE-2018-14432)

Summary PowerVC has addressed the following vulnerability. An authenticated "GET /v3/OS-FEDERATION/projects" request to the identity API may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects ...

Security Bulletin: A security vulnerability has been identified in IBM Spectrum Scale bundled with IBM Cloud PowerVC Manager for Software Defined Infrastructure (CVE-2018-1782)

Summary IBM Spectrum Scale v5.0.0 bundled with IBM Cloud PowerVC Manager for Software Defined Infrastructure SDI v1.1.0 can be upgraded to v5.0.1.X. IBM Spectrum Scale v5.0.1 is bundled with IBM Cloud PowerVC Manager for Software Defined Infrastructure SDI v1.1.1. Information about a security...

Security Bulletin: Ceilometer database access unrestricted in PowerVC (CVE-2015-1937)

Summary IBM PowerVC is using a ceilometer database that does not have authentication enabled. Vulnerability Details CVEID: CVE-2015-1937 DESCRIPTION: IBM PowerVC NoSQL database used by ceilometer is listening on the remote port and is configured to allow connections without any authentication. A...

Security Bulletin: Security vulnerabilities have been identified in IBM Spectrum Scale v5.0.0 shipped with IBM Cloud PowerVC Manager for Software Defined Infrastructure (SDI) v1.1.0 (CVE-2018-1431, CVE-2016-0705, CVE-2017-3732, CVE-2018-1447)

Summary IBM Spectrum Scale v5.0.0 is shipped with IBM Cloud PowerVC Manager for Software Defined Infrastructure SDI v1.1.0. Information about security vulnerabilities affecting IBM Spectrum Scale v5.0.0 have been published in a security bulletin. Vulnerability Details Refer to the security bullet...

Security Bulletin: Security vulnerabilities have been identified in IBM Spectrum Scale v5.0.0 shipped with IBM Cloud PowerVC Manager for Software Defined Infrastructure (SDI) v1.1.0 (CVE-2017-14746, CVE-2017-15275)

Summary IBM Spectrum Scale v5.0.0 is shipped with IBM Cloud PowerVC Manager for Software Defined Infrastructure SDI v1.1.0. Information about security vulnerabilities affecting IBM Spectrum Scale v5.0.0 have been published in a security bulletin. Vulnerability Details Refer to the security bullet...

Security Bulletin: A Security Vulnerability has Been Identified in IBM Spectrum Scale v5.0.0 shipped with IBM Cloud PowerVC Manager for Software Defined Infrastructure (SDI) v1.1.0 (CVE-2017-1654)

Summary IBM Spectrum Scale v5.0.0 is shipped with IBM Cloud PowerVC Manager for Software Defined Infrastructure SDI v1.1.0. Information about a security vulnerability affecting IBM Spectrum Scale v5.0.0 has been published in a security bulletin. Vulnerability Details Refer to the security bulleti...