IBM Support

Security Bulletin: Multiple vulnerabilities in mariadb affect PowerKVM

Security Bulletin


Summary

PowerKVM is affected by several vulnerabilities in mariadb. These vulnerabilities are now fixed.

Vulnerability Details

CVEID: CVE-2016-0640
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: DML component has no confidentiality impact, partial integrity impact, and partial availability impact.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112472 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:P)

CVEID: CVE-2016-0641
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: MyISAM component has partial confidentiality impact, no integrity impact, and partial availability impact.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112473 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:P)

CVEID: CVE-2016-0643
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: DML component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112475 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVEID: CVE-2016-0644
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: DDL component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112476 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVEID: CVE-2016-0646
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: DML component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112477 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVEID: CVE-2016-0647
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: FTS component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112478 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVEID: CVE-2016-0648
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: PS component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112479 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVEID: CVE-2016-0649
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: PS component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112480 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVEID: CVE-2016-0650
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: Replication component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112481 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVEID: CVE-2016-0666
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: Security: Privileges component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112495 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:N/A:P)

CVEID: CVE-2016-3452
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: Security: Encryption component could allow a remote attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115321 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-3477
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: Parser component has high confidentiality impact, high integrity impact, and high availability impact.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115301 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2016-3521
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: Types component could allow a remote attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115307 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-3615
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: DML component could allow a remote attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115309 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-5440
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: RBR component could allow a remote attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115316 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-5444
DESCRIPTION:
An unspecified vulnerability in Oracle MySQL Server related to the Server: Connection component could allow a remote attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115320 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

PowerKVM v2.1 and v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. For version 3.1, see https://ibm.biz/BdHggw for 3.1.0.2 update 1 or later.

For version 2.1, see PowerKVM 2.1.1.3-65. Update 11 at https://ibm.biz/BdEnT8 or later. Customers running v2.1 are, in any case, encouraged to upgrade to v3.1.

For v2.1 systems currently running fix levels of PowerKVM prior to 2.1.1, please see http://download4.boulder.ibm.com/sar/CMA/OSA/05e4c/0/README for prerequisite fixes and instructions.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

18 August 2016 - Initial Version

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSZJY4","label":"PowerKVM"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.1;3.1","Edition":"KVM","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
17 June 2018

UID

isg3T1024168