Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM90FE829739D35DBCBB1EC96A8A154C1AB60A3AC7C21E2103E140D075BAEC8010
HistoryMay 23, 2023 - 11:18 p.m.

Security Bulletin: This Power System update is being released to address CVE 2023-30438

2023-05-2323:18:19
www.ibm.com
42
ibm powervm
power9
power10
cve-2023-30438
firmware
data leakage
arbitrary code execution

CVSS3

9.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0

Percentile

5.1%

JSON

Summary

An internally discovered vulnerability in PowerVM on IBM Power9 and Power10 systems could allow an attacker with privileged user access to a logical partition to perform an undetected violation of the isolation between logical partitions which could lead to data leakage or the execution of arbitrary code in other logical partitions on the same physical server.

Vulnerability Details

CVEID:CVE-2023-30438
**DESCRIPTION:**A vulnerability was identified in IBM PowerVM that could lead to an undetected violation of the isolation between partitions.
CVSS Base score: 9.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252706 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
PowerVM Hypervisor FW1030.00 - FW1030.10
PowerVM Hypervisor FW1020.00 - FW1020.30
PowerVM Hypervisor FW1010.00 - FW1010.50
PowerVM Hypervisor FW950.00 - FW950.70

For Power9 servers, only FW950 is supported but all firmware releases on the listed products are vulnerable.

See the PSIRT Q&A for more information.

Remediation/Fixes

IBM strongly recommends customers with the products below install FW950.71(950_124) or newer to remediate this vulnerability.

Power 9

  1. IBM Power System L922 (9008-22L)

  2. IBM Power System S922 (9009-22A, 9009-22G)

  3. IBM Power System H922 (9223-22H, 9223-22S)

  4. IBM Power System S914 (9009-41A, 9009-41G)

  5. IBM Power System S924 (9009-42A, 9009-42G)

  6. IBM Power System H924 (9223-42H, 9223-42S)

  7. IBM Power System E950 (9040-MR9)

  8. IBM Power System E980 (9080-M9S)

IBM strongly recommends customers with the products below install FW1010.51(1010_163), FW1030.11(1030_052) or newer to remediate this vulnerability.

Power 10

  1. IBM Power System E1080 (9080-HEX)

IBM strongly recommends customers with the products below install FW1020.31(1020_102), FW1030.11(1030_058) or newer to remediate this vulnerability.

Power 10

  1. IBM Power System S1022 (9105-22A)

  2. IBM Power System S1024 (9105-42A)

  3. IBM Power System S1022s (9105-22B)

  4. IBM Power System S1014 (9105-41B)

  5. IBM Power System L1022 (9786-22H)

  6. IBM Power System L1024 (9786-42H)

  7. IBM Power System E1050 (9043-MRX)

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmpower9_system_firmwareMatchany
VendorProductVersionCPE
ibmpower9_system_firmwareanycpe:2.3:o:ibm:power9_system_firmware:any:*:*:*:*:*:*:*

Related

prion 1
cvelist 1
cve 1
nvd 1
prion
prion
Design/Logic Flaw
2023-05-17 13:15:00
cvelist
cvelist
CVE-2023-30438 IBM PowerVM gain access
2023-05-17 12:48:37
cve
cve
CVE-2023-30438
2023-05-17 13:15:09
nvd
nvd
CVE-2023-30438
2023-05-17 13:15:09

CVSS3

9.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0

Percentile

5.1%

JSON
Related for 90FE829739D35DBCBB1EC96A8A154C1AB60A3AC7C21E2103E140D075BAEC8010
prion1cvelist1cve1nvd1