OpenBMC Solution To CVE issues

Patrick Venture venture at google.com
Wed Aug 14 01:55:55 AEST 2019 

On Tue, Aug 13, 2019 at 7:46 AM Joseph Reynolds <jrey at linux.ibm.com> wrote:
>
> On 8/12/19 10:21 PM, Yonghui YH21 Liu wrote:
> >
> > HI All,
> >
> >          I saw there are some solutions to public CVE issues, some
> > solution are not enable by default setting.
> >
> I've provided by initial thoughts about how these CVEs affect OpenBMC.
> This is from the point of view of code running on OpenBMC 2.7.0
> systems.  My responses disregard vulnerabilities which may affect the
> build host.
>
> Will BMC subject matter experts review the information below and provide
> answers?
>
> - Joseph
>
> >          As we know, there are some new coming CVE issues. Could you
> > help confirm whether below issues will be fixed? Is yes, when will be
> > ready?
> >
> >       CVE-2019-12900
> >
> The problem: BZ2 decompress - affects bzip2 through 1.0.6
> Impact: we are impacted, we are at bzip2 1.0.6
> How to exploit?  Do any OpenBMC interfaces use BZ2 compression? Image
> upload?  Web interfaces?  If so, we may be impacted.
>
> > CVE-2018-20843
> >
> The problem: affects Expat XML before 2.2.7
> Impact: Not applicable, OpenBMC does not use XML
>
> > CVE-2019-9169
> >
> The problem: glibc/libc6 regexec proceed_next_node
> Impact: we are impacted, we are on glibc 2.29
> How to exploit?  Do any OpenBMC interfaces parse regular expressions?
> If so we may be impacted?  If not, this will be hared to exploit.

We parse regular expressions, however they're pre-programmed, versus
allowing user-input.  This makes them difficult to exploit.  I don't
know if bmcweb offers that type of input from the user, but I can't
imagine -- but someone can follow-up.

>
> > CVE-2018-20750
> >
> The problem: libvncserver/rfbserver.c, affects LibVNC through 0.9.12
> Impact: we may be impacted, we are on 0.9.12
> Does our KVM use vncserver?
>
> > CVE-2019-13404
> >
> The problem: Python installer, applies to Windows
> Impact: not applicable, note that OpenBMC removed Python from the image
>
> > Thank your great support in advance!
> >
> > Thanks
> >
>

More information about the openbmc mailing list