IBM Support

Security Bulletin: IBM PowerVC is affected by vulnerability in OpenStack Nova (CVE-2017-7214)

Security Bulletin


Summary

OpenStack Nova could allow an attacker to obtain sensitive information from logs.

Vulnerability Details

CVEID: CVE-2017-7214
DESCRIPTION: Legacy notification exception contexts appearing in OpenStack Nova's ERROR level logs may include sensitive information such as account passwords and authorization tokens.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123591 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM PowerVC Standard Edition 1.3.0 through 1.3.0.2
IBM PowerVC Standard Edition 1.3.1 through 1.3.1.2
IBM PowerVC Standard Edition 1.3.2 through 1.3.2.1
IBM Cloud PowerVC Manager 1.3.1 through 1.3.0.2
IBM Cloud PowerVC Manager 1.3.2 through 1.3.0.1

Remediation/Fixes

Apply the appropriate fix from IBM Fix Central at http://www.ibm.com/support/fixcentral/

ProductVRMFAPARRemediation / Fix
IBM PowerVC Standard Edition1.3.0.2IT20665http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FPowerVC&fixids=Security-Fix-1.3.0.2-PowerVC-RHEL-NOARCH-APAR-IT20665&source=SAR
IBM PowerVC Standard Edition
IBM Cloud PowerVC Manager		1.3.1.2IT20665http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FPowerVC&fixids=Security-Fix-1.3.1.2-PowerVC-RHEL-NOARCH-APAR-IT20665&source=SAR
IBM PowerVC Standard Edition
IBM Cloud PowerVC Manager		1.3.2.1IT20665http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FPowerVC&fixids=Security-Fix-1.3.2.1-PowerVC-RHEL-NOARCH-APAR-IT20665&source=SAR

Note: Interim fixes are made available for versions listed above. If your PowerVC installation is not at the listed VRMF, please update it before applying the interim fix.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

25 May 2017: Initial publish

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSXK2N","label":"PowerVC Standard Edition"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"","label":"Power"}],"Version":"1.3.0;1.3.1;1.3.2","Edition":"Standard","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
17 June 2018

UID

nas8N1022011

Page Feedback