Huawei TechnologiesHUAWEI-SA-20171018-01-FUSIONSPHERESecurity Advisory - Multiple Vulnerabilities in FusionSphere OpenStack
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.1%
There is a privilege escalation vulnerability in Huawei FusionSphere OpenStack. Due to improper privilege restrictions, an attacker with high privilege may obtain the other users’ certificates. Successful exploit may cause privilege escalation. (Vulnerability ID: HWPSIRT-2017-07053)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-8187.
There is a command injection vulnerability in Huawei FusionSphere OpenStack. Due to lack of validation, an attacker with high privilege may inject malicious code into some module of the affected products, causing code execution. (Vulnerability ID: HWPSIRT-2017-07055)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-8188.
There is a path traversal vulnerability in Huawei FusionSphere OpenStack. Due to insufficient path validation, an attacker with high privilege may exploit this vulnerability to cover some files, causing services abnormal. (Vulnerability ID: HWPSIRT-2017-07056)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-8189.
There is an improper verification of cryptographic signature vulnerability in Huawei FusionSphere OpenStack. The software does not verify the cryptographic signature. An attacker with high privilege may exploit this vulnerability to inject malicious software. (Vulnerability ID: HWPSIRT-2017-07057)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-8190.
There is a week cryptographic algorithm vulnerability in Huawei FusionSphere OpenStack. Attackers may exploit the vulnerability to crack the cipher text and cause information leak on the transmission links. (Vulnerability ID: HWPSIRT-2017-07058)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-8191.
Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171018-01-fusionsphere-en
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| fusionsphere openstack | eq | V100R006C00SPC102 |
Related
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.1%