PowerVM

  • 1.  Missing Security Bulletin Notification for CVE-2021-29795

    Posted Mon October 11, 2021 03:10 AM
    Hello group,

    there is a new PowerVM  Security Bulletin: The PowerVM hypervisor is vulnerable to a specially crafted sequence of hypervisor calls from a partition that can lead to a system crash
    Ibm remove preview
    Security Bulletin: The PowerVM hypervisor is vulnerable to a specially crafted sequence of hypervisor calls from a partition that can lead to a system crash
    An attacker that gains total control of a virtual machine running on the PowerVM hypervisor could issue a specially crafted sequence of hypervisor calls that will lead to a system crash and and an outage of all virtual machines running on the same system
    View this on Ibm >

    The problem is, neither I, nor my collegues have received IBM email notification about it. Is there any "secret" subscription, so we could get reliably notifications about security issues? My suscriptions are for:

    PowerVM Enterprise Edition for Small Servers
    PowerVM for IBM PowerLinux
    PowerVM VIOS Enterprise Edition
    PowerVM VIOS Standard Edition
    PowerVM Virtual I/O Server

    Thanks,
    P. Tanovski

    ------------------------------
    Plamen Tanovski
    ------------------------------


  • 2.  RE: Missing Security Bulletin Notification for CVE-2021-29795

    Posted Mon October 11, 2021 04:43 AM

    Hello Plamen,

    This is Deepak here from PowerVM VIOS support . Even though advisory mentions PowerVM , this actually falls under Power Hypervisor and is fixed at the hypervisor layer using a Hardware Firmware Fix (FW1010.01(MH1010_069)) as listed in the advisory it self

    https://www.ibm.com/support/pages/node/6495879?myns=pwrmicro&mynp=OCHW1A1&mync=E&cm_sp=pwrmicro-_-OCHW1A1-_-E

    The same reason it is not listed under PowerVM VIOS in FLRT . Hence you would not get the Notification via the PowerVM Notifications
    https://www14.software.ibm.com/webapp/set2/flrt/doc?page=security&os=vios_sec

    Not sure you get similar fix notifications . If you did , you should get notified by that notification



    ------------------------------
    Deepak Menezes
    ------------------------------



  • 3.  RE: Missing Security Bulletin Notification for CVE-2021-29795

    Posted Mon October 11, 2021 06:08 AM
    Thanks Deepak,

    unfortunately there is no Power hypervisor topic I could subscribe to

    Best regards,
    P. Tanovski

    ------------------------------
    Plamen Tanovski
    ------------------------------



  • 4.  RE: Missing Security Bulletin Notification for CVE-2021-29795

    Posted Tue October 12, 2021 01:53 AM
    Hi,

    I did receive notification regarding this...but the email does not exactly state that from which subscription it is related..

    But noticed that when U tag products for notifications; one can select which type of documents / information will be sent; so please check that all needed ones are tagged: 



    ------------------------------
    Tommi Sihvo, Lead Service Architect
    TietoEVRY, Compute Services
    email tommi.sihvo@tieto.com mobile +358 (0)40 5180 Finland
    ------------------------------



  • 5.  RE: Missing Security Bulletin Notification for CVE-2021-29795

    Posted Wed October 13, 2021 10:51 AM
    Hi,

    I received the E-Mail notification for the mentioned vulnerability. You have to subscribe product "Power (all current and future products)"

    Kind Regards,
    Markus


    ------------------------------
    Markus Feichtinger
    System Administrator and Team Leader Core Systems
    Bundesanstalt Statistik Österreich
    Vienna
    +431711287232
    ------------------------------



  • 6.  RE: Missing Security Bulletin Notification for CVE-2021-29795

    Posted Wed October 13, 2021 10:55 AM
    Hi,

    I received a E-Mail notification for this vulnerability. You have to subscribe to product "Power (all current and future products)".

    Kind Regards,
    Markus


    ------------------------------
    Markus Feichtinger
    System Administrator and Team Leader Core Systems
    Bundesanstalt Statistik Österreich
    Vienna
    +431711287232
    ------------------------------