Readme file for: IBM® Power Virtualization Center Publication Date: June 6, 2024 This iFix applies to IBM PowerVC 2.1.1.1. CVE-2023-44271 - An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. CVE-2023-50447 - Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). Pre-requisite step: ------------------ Install the previous 2.1.1.1 PSIRT bundle: IT45572-2.1.1.1-OPSMGR.tgz Installation steps :- ------------------ 1) Take a backup of PowerVC. 2) Copy the included IT46038-2.1.1.1-POWERVC.tgz file to the PowerVC primary node. 3) Run the following command from the primary node to apply the iFix on all the PowerVC nodes one by one: powervc-opsmgr apply-ifix --ifix -c --host Example: powervc-opsmgr apply-ifix --ifix /root/IT46038-2.1.1.1-POWERVC.tgz -c --host . If the iFix installation fails for the host, then rerun the command in Step 4. Note: The can be obtained by running the "powervc-opsmgr inventory -l" command. If the inventory is created with a hostname, then use the hostname in the apply-ifix command. If the hostip is used when the inventory is created, then use the hostip in the apply-ifix command. 4) Check whether the iFix has been successfully applied on all nodes by running this command. powervc-opsmgr apply-ifix -l -c yum repo-pkgs ifix-IT46038-2.1.1.1-POWERVC list --showduplicates Expected Output: --------------- RHEL: ---- # yum repolist Updating Subscription Management repositories. repo id repo name Powervc-Opsmgr-IFix powervc-opsmgr-ifix Powervc-Opsmgr-IFix-IT45537 powervc-opsmgr-ifix-IT45537 codeready-builder-for-rhel-9-x86_64-rpms Red Hat CodeReady Linux Builder for RHEL 9 x86_64 (RPMs) powervc-ifix-IT46037-2.1.1-POWERVC IT46037-2.1.1-POWERVC powervc-noarch POWERVC Openstack noarch powervc-opsmgr-noarch POWERVC Opsmgr noarch powervc-opsmgr-x86_64 POWERVC Opsmgr x86_64 powervc-x86_64 POWERVC Openstack x86_64 pvc-openstack-multiarch-rhel9 POWERVC Openstack multiarch rhel9 pvc-openstack-noarch POWERVC Openstack noarch pvc-openstack-noarch-rhel9 POWERVC Openstack noarch rhel9 pvc-openstack-x86_64 POWERVC Openstack x86_64 rhel-9-for-x86_64-appstream-rpms Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) rhel-9-for-x86_64-baseos-rpms Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) rhel-9-for-x86_64-highavailability-rpms Red Hat Enterprise Linux 9 for x86_64 - High Availability (RPMs) rhel-9-for-x86_64-supplementary-rpms Red Hat Enterprise Linux 9 for x86_64 - Supplementary (RPMs) # yum repo-pkgs ifix-IT46038-2.1.1.1-POWERVC list Updating Subscription Management repositories. Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 23 kB/s | 4.1 kB 00:00 Red Hat CodeReady Linux Builder for RHEL 9 x86_64 (RPMs) 18 kB/s | 4.5 kB 00:00 Red Hat Enterprise Linux 9 for x86_64 - Supplementary (RPMs) 17 kB/s | 3.7 kB 00:00 Red Hat Enterprise Linux 9 for x86_64 - High Availability (RPMs) 27 kB/s | 4.0 kB 00:00 Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) 30 kB/s | 4.5 kB 00:00 Installed Packages libraqm.x86_64 0.7.0-4.ibm.el9 @ifix-IT46038-2.1.1.1-POWERVC python3-pillow.x86_64 10.2.0-1.ibm.el9 @ifix-IT46038-2.1.1.1-POWERVC SLES: ---- zypper pa -ir 19 Loading repository data... Reading installed packages... S | Repository | Name | Version | Arch ---+------------------------------+----------------+---------------------+-------- i+ | ifix-IT46038-2.1.1.1-POWERVC | python3-pillow | 10.2.0-1.150100.ibm | ppc64le --- End of list --- Copyright and trademark information http://www.ibm.com/legal/copytrade.shtml Notices INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Microsoft, Windows, and Windows Server are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others. Third-Party License Terms and Conditions, Notices and Information The license agreement for this product refers you to this file for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. The relevant terms and conditions, notices and other information are provided or referenced below. Please note that any non-English version of the licenses below is unofficial and is provided to you for your convenience only. The English version of the licenses below, provided as part of the English version of this file, is the official version. Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions: * the Excluded Components are provided on an "AS IS" basis * IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * IBM will not be liable to you or indemnify you for any claims related to the Excluded Components * IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components. Document change history