IBM Support

Security Bulletin: OpenStack vulnerabilities affect IBM SmartCloud Entry(CVE-2015-5240 CVE-2015-3280)

Created by Hao Jun EW Wang on
Published URL:
https://www.ibm.com/support/pages/node/628481
628481

Security Bulletin


Summary

IBM SmartCloud Entry is vulnerable to a Nova vulnerability that allows a remote authenticated attacker to cause a denial of service.
IBM SmartCloud Entry is vulnerable to a Neutron vulnerability that allows an attacker to bypass firewall rules and gain access to applications.

Vulnerability Details

CVEID: CVE-2015-5240
DESCRIPTION:
OpenStack Neutron could allow a remote authenticated attacker to bypass security restrictions, caused by an error when the device owner of an instance's port is modified immediately following port creation. An attacker could exploit this vulnerability using the port update to bypass firewall rules and gain access to the application.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106231 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-3280
DESCRIPTION:
OpenStack Nova is vulnerable to a denial of service, caused by an error when an image is deleted while in resize state. A remote authenticated attacker could exploit this vulnerability using the original image from the compute node to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106083 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM SmartCloud Entry 3.2 through Appliance fix pack 18
IBM SmartCloud Entry 3.1 through Appliance fix pack 18

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

21 March 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SST55W","label":"IBM Cloud Manager with OpenStack"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"3.1;3.2","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
18 July 2020

UID

isg3T1023494