OpenBMC Solution To CVE issues

Joseph Reynolds jrey at linux.ibm.com
Wed Aug 14 00:46:25 AEST 2019


On 8/12/19 10:21 PM, Yonghui YH21 Liu wrote:
>
> HI All,
>
>          I saw there are some solutions to public CVE issues, some 
> solution are not enable by default setting.
>
I've provided by initial thoughts about how these CVEs affect OpenBMC.  
This is from the point of view of code running on OpenBMC 2.7.0 
systems.  My responses disregard vulnerabilities which may affect the 
build host.

Will BMC subject matter experts review the information below and provide 
answers?

- Joseph

>          As we know, there are some new coming CVE issues. Could you 
> help confirm whether below issues will be fixed? Is yes, when will be 
> ready?
>
>       CVE-2019-12900
>
The problem: BZ2 decompress - affects bzip2 through 1.0.6
Impact: we are impacted, we are at bzip2 1.0.6
How to exploit?  Do any OpenBMC interfaces use BZ2 compression? Image 
upload?  Web interfaces?  If so, we may be impacted.

> CVE-2018-20843
>
The problem: affects Expat XML before 2.2.7
Impact: Not applicable, OpenBMC does not use XML

> CVE-2019-9169
>
The problem: glibc/libc6 regexec proceed_next_node
Impact: we are impacted, we are on glibc 2.29
How to exploit?  Do any OpenBMC interfaces parse regular expressions?  
If so we may be impacted?  If not, this will be hared to exploit.

> CVE-2018-20750
>
The problem: libvncserver/rfbserver.c, affects LibVNC through 0.9.12
Impact: we may be impacted, we are on 0.9.12
Does our KVM use vncserver?

> CVE-2019-13404
>
The problem: Python installer, applies to Windows
Impact: not applicable, note that OpenBMC removed Python from the image

> Thank your great support in advance!
>
> Thanks
>



More information about the openbmc mailing list