OpenBMC Solution To CVE issues

Ed Tanous ed.tanous at intel.com
Wed Aug 14 06:53:09 AEST 2019


On 8/13/19 7:46 AM, Joseph Reynolds wrote:
>>
> The problem: BZ2 decompress - affects bzip2 through 1.0.6
> Impact: we are impacted, we are at bzip2 1.0.6
> How to exploit?  Do any OpenBMC interfaces use BZ2 compression? Image
> upload?  Web interfaces?  If so, we may be impacted.
The web doesn't implement BZ2 compression, only GZIP.

> 
>> CVE-2018-20843
>>
> The problem: affects Expat XML before 2.2.7
> Impact: Not applicable, OpenBMC does not use XML
Do we even use libexpat anywhere?  We use XML in several places, but I
can't think of anywhere we use Expat.

> 
>> CVE-2019-9169
>>
> The problem: glibc/libc6 regexec proceed_next_node
> Impact: we are impacted, we are on glibc 2.29
> How to exploit?  Do any OpenBMC interfaces parse regular expressions? 
> If so we may be impacted?  If not, this will be hared to exploit.
I just audited all uses of std::regex in bmcweb.  They are all using
compile-time strings for generating their expression.  Also, all uses
are post-authentication (on purpose) so even if there was an exploit, it
would be a relatively low CVE score, as it would require valid
credentials to exploit.

> 
>> CVE-2018-20750
>>
> The problem: libvncserver/rfbserver.c, affects LibVNC through 0.9.12
> Impact: we may be impacted, we are on 0.9.12
> Does our KVM use vncserver?
Yes.  We will just need to upgrade the package version when the new
release is available.

> 
>> CVE-2019-13404
>>
> The problem: Python installer, applies to Windows
> Impact: not applicable, note that OpenBMC removed Python from the image
> 
>> Thank your great support in advance!
>>
>> Thanks
>>
> 


More information about the openbmc mailing list