Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM1BD77C9BE53C3985973810E71BF1A5BF64F6D28C1B3D36B8B086C4494B3E85A4
HistoryMar 04, 2019 - 5:50 a.m.

Security Bulletin: Vulnerabilities in Ghostscript affect PowerKVM

2019-03-0405:50:01
www.ibm.com
15

EPSS

0.017

Percentile

88.0%

JSON

Summary

PowerKVM is affected by vulnerabilities in Artifex Ghostscript. IBM has now addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2018-16539 DESCRIPTION: Artifex Ghostscript could allow a remote attacker to obtain sensitive information, caused by improper access checking in temp file handling.By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to obtain contents of files on the system.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149465&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-16511 DESCRIPTION: Artifex Ghostscript is vulnerable to a denial of service, caused by a type confusion flaw in ztype. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to crash the interpreter.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149463&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-15909 DESCRIPTION: Artifex Ghostscript could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion using the .shfill operator. An attacker could exploit this vulnerability using a PostScript file to crash the interpreter or possibly execute arbitrary code on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148959&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-15908 DESCRIPTION: Artifex Ghostscript could allow a remote attacker to bypass security restrictions. An attacker could exploit this vulnerability using specially crafted PostScript files to bypass .tempfile restrictions and write files.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148960&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-15911 DESCRIPTION: Artifex Ghostscript could allow a remote attacker to execute arbitrary code on the system, caused by an uninitialized memory access error in the aesdecode operator. An attacker could exploit this vulnerability to crash the interpreter or possibly execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148957&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2019-6116 DESCRIPTION: Artifex Ghostscript could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to mark subroutines as executeonly and make them pseudo-operators. An attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156003&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-19477 DESCRIPTION: Artifex Ghostscript could allow a remote attacker to bypass security restrictions, caused by a JBIG2Decode type confusion in psi/zfjbig2.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153246&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2018-19476 DESCRIPTION: Artifex Ghostscript could allow a remote attacker to bypass security restrictions, caused by a setcolorspace type confusion in psi/zicc.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153245&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2018-19475 DESCRIPTION: Artifex Ghostscript could allow a remote attacker to bypass security restrictions, caused by improper validation of stack space in psi/zdevice2.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153244&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2018-16540 DESCRIPTION: Artifex Ghostscript is vulnerable to a denial of service, caused by a use-after-free in copydevice handling in PDF14 converter. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to crash the interpreter.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149466&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using “yum update”.

Fix images are made available via Fix Central. For version 3.1, see https://ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 17.

Workarounds and Mitigations

none

Related

oraclelinux 3
nessus 47
redhat 2
openvas 38
centos 2
debian 5
ubuntu 2
osv 13
freebsd 1
fedora 5
amazon 1
mageia 1
suse 4
ubuntucve 8
debiancve 10
nvd 10
prion 9
cvelist 9
cve 10
veracode 9
alpinelinux 6
redhatcve 2
f5 1
archlinux 1
oraclelinux
oraclelinux
ghostscript security and bug fix update
2019-01-31 00:00:00
ghostscript security update
2018-11-26 00:00:00
ghostscript security, bug fix, and enhancement update
2019-08-13 00:00:00
nessus
nessus
CentOS 7 : ghostscript (CESA-2019:0229)
2019-02-11 00:00:00
Scientific Linux Security Update : ghostscript on SL7.x x86_64 (20190131)
2019-02-01 00:00:00
Oracle Linux 7 : ghostscript (ELSA-2019-0229)
2019-02-01 00:00:00
redhat
redhat
(RHSA-2019:0229) Important: ghostscript security and bug fix update
2019-01-31 17:02:56
(RHSA-2018:3650) Important: ghostscript security update
2018-11-26 23:01:42
openvas
openvas
CentOS Update for ghostscript CESA-2019:0229 centos7
2019-02-10 00:00:00
Huawei EulerOS: Security Advisory for ghostscript (EulerOS-SA-2019-1065)
2020-01-23 00:00:00
Huawei EulerOS: Security Advisory for ghostscript (EulerOS-SA-2019-1092)
2020-01-23 00:00:00
centos
centos
ghostscript security update
2019-02-09 14:46:58
ghostscript security update
2018-12-13 20:45:17
debian
debian
[SECURITY] [DSA 4346-1] ghostscript security update
2018-11-27 22:45:15
[SECURITY] [DLA 1598-1] ghostscript security update
2018-11-28 15:00:30
[SECURITY] [DSA 4346-1] ghostscript security update
2018-11-27 22:45:15
ubuntu
ubuntu
Ghostscript vulnerabilities
2018-11-29 00:00:00
Ghostscript vulnerabilities
2018-09-19 00:00:00
osv
osv
ghostscript - security update
2018-11-28 00:00:00
ghostscript - security update
2018-09-07 00:00:00
ghostscript - security update
2018-09-13 00:00:00
freebsd
freebsd
Ghostscript -- arbitrary code execution
2018-08-21 00:00:00
fedora
fedora
[SECURITY] Fedora 27 Update: ghostscript-9.22-5.fc27
2018-09-07 15:25:45
[SECURITY] Fedora 29 Update: ghostscript-9.24-3.fc29
2018-09-21 05:46:15
[SECURITY] Fedora 28 Update: ghostscript-9.24-1.fc28
2018-09-11 17:04:00
amazon
amazon
Important: ghostscript
2018-10-08 22:17:00
mageia
mageia
Updated ghostscript packages fix security vulnerabilities
2018-09-21 02:17:55
suse
suse
Security update for ghostscript (important)
2018-10-05 21:10:24
Security update for ghostscript (important)
2018-10-05 21:13:14
Security update for ghostscript (important)
2018-12-15 12:10:58
ubuntucve
ubuntucve
CVE-2018-19476
2018-11-23 00:00:00
CVE-2018-19477
2018-11-23 00:00:00
CVE-2018-16511
2018-09-05 00:00:00
debiancve
debiancve
CVE-2018-19476
2018-11-23 05:29:03
CVE-2018-19475
2018-11-23 05:29:03
CVE-2018-16511
2018-09-05 06:29:00
nvd
nvd
CVE-2018-16511
2018-09-05 06:29:00
CVE-2018-19477
2018-11-23 05:29:03
CVE-2018-19476
2018-11-23 05:29:03
prion
prion
Type confusion
2018-11-23 05:29:00
Design/Logic Flaw
2018-11-23 05:29:00
Type confusion
2018-08-27 17:29:00
cvelist
cvelist
CVE-2018-19477
2018-11-23 05:00:00
CVE-2018-19476
2018-11-23 05:00:00
CVE-2018-16540
2018-09-05 18:00:00
cve
cve
CVE-2018-19477
2018-11-23 05:29:03
CVE-2018-19476
2018-11-23 05:29:03
CVE-2018-15909
2018-08-27 17:29:00
veracode
veracode
Denial Of Service (DoS)
2019-05-16 03:22:33
Authorization Bypass
2019-05-16 03:56:21
Authorization Bypass
2019-05-16 03:56:21
alpinelinux
alpinelinux
CVE-2018-19477
2018-11-23 05:29:03
CVE-2018-15909
2018-08-27 17:29:00
CVE-2018-19476
2018-11-23 05:29:03
redhatcve
redhatcve
CVE-2018-15908
2022-01-13 06:39:54
CVE-2018-16511
2018-09-13 11:49:25
f5
f5
K24803507 : Ghostscript vulnerability CVE-2018-15909
2019-10-16 00:00:00
archlinux
archlinux
[ASA-201901-18] ghostscript: sandbox escape
2019-01-29 00:00:00

EPSS

0.017

Percentile

88.0%

JSON
Related for 1BD77C9BE53C3985973810E71BF1A5BF64F6D28C1B3D36B8B086C4494B3E85A4
oraclelinux3nessus47redhat2openvas38centos2debian5ubuntu2osv13freebsd1fedora5amazon1mageia1suse4ubuntucve8debiancve10nvd10prion9cvelist9cve10veracode9alpinelinux6redhatcve2f51archlinux1