Update On Critical Security Vulnerability In PowerVM
May 24, 2023 Timothy Prickett Morgan
Earlier this week, we told you about a very serious security vulnerability in the PowerVM hypervisor when running on Power9 and Power10 systems. IBM found the vulnerability itself and immediately set about to patch the vulnerability, which it revealed on May 17 along with patches to firmware in systems that are managed by the Hardware Management Console, or HMC.
What was not necessarily apparent was that there are plenty of Power Systems customers who do not have HMCs managing their systems and the logical partitions upon them, and this is particularly true of the IBM i installed base, which is dominated by smaller Power System machines with relatively few logical partitions that are set up through other means, such as the Virtual Partition Manager (PVM) that has been on the box for about a decade and a half.
Doug Bidwell, our intrepid systems guru as well as the editor of the IBM i PTF Guide has been digging around and on May 22 Big Blue released documentation explaining how to patch standalone Power9 and Power10 servers so this PowerVM security hole is plugged, which you can read here. There are updates for firmware for Power9 standalone machines (designated by MH01951) and Power10 standalone machines (designated by MH01955 and MH01952). Interestingly, firmware patches were also made available for standalone Power8 systems (designated by MH01929 for everything but the high-end Power E870s and E880s (designated by SC860_245_165), but as far as we know Power8 and earlier systems are not affected by this PowerVM vulnerability. Go figure.
As far as we know, this security vulnerability has not been exploited out there in the wild, but you have to patch your Power9 and Power10 systems if you have not because the very fact that IBM let people know there is a hole means that someone will eventually try to exploit it.
You can see the PSIRT notice at this link and the Security Bulletin: This Power System firmware update is being released to address CVE 2023-30438 at this link. This has a CVSS base score of 9.3, which means it is critical.
Critical Security Vulnerability In PowerVM Hypervisor
PowerVM, vHMC, HMC, And Cloud Management Console Get Their Tweaks
Critical Log4j Vulnerability Hits Everything, Including the IBM i Server
Some Good Advice About Log4j Mitigation Gotchas
IBM Winds Down PowerVM V2, Nudges Customers To PowerVM V3