OpenBMC Solution To CVE issues
Ed Tanous
ed.tanous at intel.com
Wed Aug 14 06:53:09 AEST 2019
On 8/13/19 7:46 AM, Joseph Reynolds wrote:
>>
> The problem: BZ2 decompress - affects bzip2 through 1.0.6
> Impact: we are impacted, we are at bzip2 1.0.6
> How to exploit? Do any OpenBMC interfaces use BZ2 compression? Image
> upload? Web interfaces? If so, we may be impacted.
The web doesn't implement BZ2 compression, only GZIP.
>
>> CVE-2018-20843
>>
> The problem: affects Expat XML before 2.2.7
> Impact: Not applicable, OpenBMC does not use XML
Do we even use libexpat anywhere? We use XML in several places, but I
can't think of anywhere we use Expat.
>
>> CVE-2019-9169
>>
> The problem: glibc/libc6 regexec proceed_next_node
> Impact: we are impacted, we are on glibc 2.29
> How to exploit? Do any OpenBMC interfaces parse regular expressions?
> If so we may be impacted? If not, this will be hared to exploit.
I just audited all uses of std::regex in bmcweb. They are all using
compile-time strings for generating their expression. Also, all uses
are post-authentication (on purpose) so even if there was an exploit, it
would be a relatively low CVE score, as it would require valid
credentials to exploit.
>
>> CVE-2018-20750
>>
> The problem: libvncserver/rfbserver.c, affects LibVNC through 0.9.12
> Impact: we may be impacted, we are on 0.9.12
> Does our KVM use vncserver?
Yes. We will just need to upgrade the package version when the new
release is available.
>
>> CVE-2019-13404
>>
> The problem: Python installer, applies to Windows
> Impact: not applicable, note that OpenBMC removed Python from the image
>
>> Thank your great support in advance!
>>
>> Thanks
>>
>
More information about the openbmc
mailing list