Critical Security Vulnerability In PowerVM Hypervisor
May 22, 2023 Timothy Prickett Morgan
IBM’s Product Security Incident Response Team (PSIRT) put out a notice on Wednesday, May 17, to inform the Power Systems installed base that there is a very serious security vulnerability in the PowerVM hypervisor. You can see the PSIRT notice at this link and the Security Bulletin: This Power System firmware update is being released to address CVE 2023-30438 at this link. This has a CVSS base score of 9.3, which means it is critical.
We very rarely see any security vulnerabilities being reported for the PowerVM hypervisor or for the IBM i operating system itself, for that matter, so this one took us a little by surprise. And Big Blue reached out to us immediately to tell us about the situation and the mitigations for the vulnerability because PowerVM is so pervasively installed on Power Systems iron.
Here’s the description of the situation: “An internally discovered vulnerability in PowerVM, on Power9 and Power10 systems. This vulnerability could allow an attacker with privileged user access to a logical partition to perform an undetected violation of the isolation between logical partitions. This could lead to data leakage or the execution of arbitrary code in other logical partitions on the same physical server.”
IBM found this potential bug in the firmware that is used on Power9 and Power10 systems, and says that machines that use Power8 and earlier servers, which use the OP9XX firmware releases, cannot be attacked through this vulnerability. As far as IBM knows, no one has been attacked through this vulnerability, but you have to patch your system right now to make sure you are not the first.
We had originally thought that there might be a vulnerability in the Virtual LAN software stack that has been resident in the OS/400, i5/OS, and IBM i operating system running PowerVM and earlier hypervisors, but it doesn’t sound like it. Or, IBM changed something fundamental in this VLAN setup with the Power9 and Power10 machines and it was not changed with earlier hardware. (VLAN allows the NUMA connections between processors to act as a virtual local area network to link logical partitions within a single physical machine, which is obviously has a lot lower latency and a lot higher bandwidth than going from one VM through a slice of a physical Ethernet card and then over the switching infrastructure and back in through another slice of a physical Ethernet card to another VM to link them.)
IBM says that any Power9 or Power10 server identified in the Security Bulletin with multiple partitions is potentially affected; no matter how the partitions were created or managed. There is a bit of a wonky situation on certain Power10 machines when it comes to patching, so pay attention. A Power10 system running firmware below FW1010.10 will need to apply the fix disruptively, which means that the server must be powered off to apply the fix and eliminate this vulnerability. Any higher firmware levels on the Power10 machines can have the patch applied concurrently while the machine is still running and it will be locked down.
IBM “strongly recommends” customers with Power9 machinery install FW950.71(950_124) or newer to remediate this vulnerability. Those with Power E1080 servers need to install FW1010.51(1010_163), FW1030.11(1030_052) or newer to remediate, and those on the other Power10-based systems need to install FW1020.31(1020_102), FW1030.11(1030_058) or newer to remediate.
Finally, for those of you who are on the IBM Cloud running Power Systems Virtual Server slices, these cloud instances were indeed exposed to this vulnerability and all servers on the IBM Cloud running Power9 and Power10 iron – which means all of them because there are no Power8 or earlier machines on the Power VS offering – have been patched, top to bottom.
PowerVM, vHMC, HMC, And Cloud Management Console Get Their Tweaks
Critical Log4j Vulnerability Hits Everything, Including the IBM i Server
Some Good Advice About Log4j Mitigation Gotchas
IBM Winds Down PowerVM V2, Nudges Customers To PowerVM V3
thanks Timothy, appreciate the warning, we’ll patch next windows along with the next TR/PTF.
Updating from fw1030.10(045) right now to (060) on a Power10 9105-41B
And THIS IS disruptive.