PowerKVM is affected by vulnerabilities in postgresql . IBM has now addressed these vulnerabilities.
CVEID: CVE-2017-15097**
DESCRIPTION:** PostgreSQL could allow a local authenticated attacker to gain elevated privileges on the system, caused by an error in the Red Hat Start scripts. An attacker could exploit this vulnerability to gain root access to the server machine.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136153> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-12172**
DESCRIPTION:** PostgreSQL could allow a local authenticated attacker to bypass security restrictions, caused by a flaw in the start scripts. By creating a symbolic link from the $PGLOG file to a critical file, an attacker could exploit this vulnerability to modify root-owned files.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134712> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
PowerKVM v3.1
Customers can update PowerKVM systems by using “yum update”.
Fix images are made available via Fix Central. For version 3.1, see https://ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 12.
none