Security Bulletin: Nova Filter Scheduler bypass through rebuild action (CVE-2017-16239)

Summary OpenStack Nova could allow a remote authenticated attacker to bypass security restrictions. By rebuilding an instance, an attacker could exploit this vulnerability to achieve Filter Scheduler bypass. Vulnerability Details CVE-ID: CVE-2017-16239 Description: OpenStack Nova could allow a...

Security Bulletin: IBM PowerVC is impacted by OpenStack Compute denial of service vulnerability (CVE-2016-7498)

Summary If an authenticated user deletes an instance while it is in resize state, it will cause the original instance to not be deleted from the compute node it was running on. An attacker can use this to launch a denial of service attack. All Nova setups are affected. Vulnerability Details CVEID...

Security Bulletin: IBM PowerVC is impacted by python oslo.middleware package information disclosure (CVE-2017-2592)

Summary IBM PowerVC may disclose some sensitive values in an error message. Vulnerability Details CVEID: CVE-2017-2592 DESCRIPTION: The OpenStack python oslo.middleware package could allow a local authenticated attacker to obtain sensitive information by including sensitive data in the CatchError...

Security Bulletin: IBM PowerVC is impacted by OpenStack Glance server-side request forgery (CVE-2017-7200)

Summary IBM PowerVC may disclose some sensitive information while creating images with 'copyfrom' feature in the v1 Image Service API. Vulnerability Details CVEID: CVE-2017-7200 DESCRIPTION: OpenStack Glance is vulnerable to server-side request forgery, caused by a flaw in the 'copyfrom' feature ...

Security Bulletin: IBM PowerVC is affected by vulnerability in OpenStack Nova (CVE-2017-7214)

Summary OpenStack Nova could allow an attacker to obtain sensitive information from logs. Vulnerability Details CVEID: CVE-2017-7214 DESCRIPTION: Legacy notification exception contexts appearing in OpenStack Nova's ERROR level logs may include sensitive information such as account passwords and...

Security Bulletin: IBM PowerVC - Local escalation of privilege vulnerability in DB2 for Linux (CVE-2016-5995)

Summary IBM PowerVC is impacted by Local escalation of privilege vulnerability in DB2 for Linux CVE-2016-5995 Vulnerability Details CVE-ID: CVE-2016-5995 Description: DB2 for Linux, Unix and Windows is vulnerable to a privilege escalation due to code being built with binaries with libraries in...

Security Bulletin: IBM PowerVC is impacted by OpenStack Nova information disclosure vulnerabilities (CVE-2015-1850, CVE-2015-7548)

Summary IBM PowerVC is impacted by OpenStack Nova information disclosure vulnerailities CVE-2015-1850, CVE-2015-7548 Vulnerability Details CVEID: CVE-2015-1850 DESCRIPTION: OpenStack Nova could allow a local attacker to obtain sensitive information, caused by the failure to provide input format t...

IBM PowerVC Information Disclosure Vulnerability (CNVD-2016-05956)

IBM PowerVC is a suite of virtualization management solutions. IBM PowerVC is affected by the OpenStack Nova information disclosure vulnerability. A local attacker can exploit the vulnerability to read arbitrary files from the host via qcow2 support for file overwrite image conversion...

Authentication flaw

IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code...

CVE-2015-1950

IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code...

CVE-2015-1950

CVE-2015-1950 affects IBM PowerVC Standard Edition 1.2.2.1–1.2.2.2, where access to the Python interpreter with nova credentials is not authenticated. This allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code. The vu...

CVE-2015-1950

IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code...

IBM PowerVC Local Elevation of Privilege Vulnerability

IBM PowerVC is a suite of virtualization management solutions. A local elevation of privilege vulnerability exists in IBM PowerVC, allowing a local attacker to exploit the vulnerability to elevate privileges...

IBM PowerVC Elevation of Privilege Vulnerability

IBM PowerVC is a suite of virtualization management solutions. The solution supports virtual system management, virtual image management and deployment, and virtual workload management. The IBM PowerVC ceilometer NoSQL database does not require authentication to be performed, and an elevation of...

CVE-2015-1937

IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2.2.x through 1.2.2.2 does not require authentication for the ceilometer NoSQL database, which allows remote attackers to read or write to arbitrary database records, and consequently obtain administrator privileges, via a sessio...

Authentication flaw

IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2.2.x through 1.2.2.2 does not require authentication for the ceilometer NoSQL database, which allows remote attackers to read or write to arbitrary database records, and consequently obtain administrator privileges, via a sessio...

CVE-2015-1937

CVE-2015-1937 affects IBM PowerVC: the ceilometer NoSQL database in PowerVC 1.2.0.x (1.2.0.4 and earlier), 1.2.1.x (up to 1.2.1.2), and 1.2.2.x (up to 1.2.2.2) allows remote unauthenticated access via port 27017, enabling reading/writing arbitrary database records and potentially gaining administ...

CVE-2015-1937

IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2.2.x through 1.2.2.2 does not require authentication for the ceilometer NoSQL database, which allows remote attackers to read or write to arbitrary database records, and consequently obtain administrator privileges, via a sessio...

CVE-2015-0137

IBM PowerVC Standard 1.2.0.x before 1.2.0.4 and 1.2.1.x before 1.2.2 validates Hardware Management Console HMC certificates only during the pre-login stage, which allows man-in-the-middle attackers to spoof devices via a crafted certificate...

CVE-2015-0136

powervc-iso-import in IBM PowerVC 1.2.0.x before 1.2.0.4 and 1.2.1.x before 1.2.2 places an access token on the command line during IVM and PowerKVM management, which allows local users to obtain sensitive information by listing the process...