Security Bulletin: This Power System update is being released to address CVE 2022-34331

Summary

A security problem for CVE-2022-34331 was addressed where switches configured to monitor network traffic for malicious activity are not effective because of errant adapter configuration changes. The misconfigured adapter can cause network traffic to flow directly between the VFs and not out the physical port hence bypassing any possible monitoring that could be configured in the switch. Packets may not be forwarded after a firmware update, or after certain error scenarios which require an adapter reset. Users configuring or using VEPA mode should install this update. These fixes pertain to adapters with the following Feature Codes and CCINs: #EC2R/EC2S with CCIN 58FA; #EC2T/EC2U with CCIN 58FB; and #EC66/EC67 with CCIN 2CF3. Update instructions: https://www.ibm.com/docs/en/power10?topic=updates-sr-iov-firmware-update

Vulnerability Details

CVEID:CVE-2022-34331
**DESCRIPTION:**After performing a sequence of Power FW maintenance operations a SRIOV network adapter can be improperly configured leading to desired VEPA configuration being disabled.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229695 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L)

Affected Products and Versions

Remediation/Fixes

Customers with the products below should install FW950.50(950_105), FW1010.40(1010_146) or newer to remediate this concern.

Power 9

1. IBM Power System S922 (9009-22A, 9009-22G)

2. IBM Power System H922 (9223-22H, 9223-22S)

3. IBM Power System S914 (9009-41A, 9009-41G)

4. IBM Power System S924 (9009-42A, 9009-42G)

5. IBM Power System H924 (9223-42H, 9223-42S)

6. IBM Power System E950 (9040-MR9)

7. IBM Power System E980 (9080-M9S)

Power 10

1. IBM Power System E1080 (9080-HEX)

Workarounds and Mitigations

None