Security Bulletin: Vulnerability in cpio affects PowerKVM (CVE-2014-9112)

Summary

A vulnerability in GNU cpio (CVE-2014-9112) affects PowerKVM.

Vulnerability Details

CVEID: CVE-2014-9112**
DESCRIPTION:** GNU cpio is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the process_copy_in() function. By persuading a victim to extract a specially-crafted archive file, a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99130 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Products and Versions

PowerKVM 2.1 and PowerKVM 3.1

Remediation/Fixes

Fix is made available via Fix Central (https://ibm.biz/BdEnT8) for v2.1 in 2.1.1 Build 65.5 and all later 2.1.1 SP3 service builds and 2.1.1 fix packs. For version 3.1, see https://ibm.biz/BdHggw for 3.1 service build 2 or later.

For systems currently running fix levels of PowerKVM prior to 2.1.1, please see <http://download4.boulder.ibm.com/sar/CMA/OSA/05e4c/0/README&gt; for prerequisite fixes and instructions. Customers can also update from 2.1.1 (GA and later levels) by using “yum update”.

Workarounds and Mitigations

None