Critical Security Vulnerability reported in IBM PowerVM Hypervisor
Take action: Even if a vulnerability in IBM Power systems is very rare, they occur. Please patch your Power 9 and Power 10 systems, with appropriate consideration that some systems will require downtime.
Learn More
IBM's Product Security Incident Response Team (PSIRT) issued a notification about a high severity vulnerability in the PowerVM hypervisor used in Power Systems. This vulnerability, identified as CVE 2023-30438, has a critical severity level with a CVSS base score of 9.3.
The vulnerability discovered internally affects PowerVM on Power9 and Power10 systems. If exploited, an attacker with privileged user access to a logical partition could breach the isolation between partitions, potentially resulting in data leakage or the execution of unauthorized code on other logical partitions residing on the same physical server.
Any Power9 or Power10 server with multiple partitions, regardless of their creation or management method, is potentially affected. Specific considerations apply to Power10 machines when it comes to patching, with servers running firmware below FW1010.10 requiring a disruptive fix that necessitates powering off the server. However, machines with higher firmware levels can receive the patch while still operational, ensuring secure operation.
IBM strongly advises Power9 users to install FW950.71(950_124) or a newer version to address the vulnerability. Power E1080 server owners should install FW1010.51(1010_163), FW1030.11(1030_052), or newer, while other Power10-based systems require FW1020.31(1020_102), FW1030.11(1030_058), or newer firmware for remediation.
For users of IBM Cloud's Power Systems Virtual Server instances, these cloud deployments were exposed to the vulnerability. However, IBM has patched all Power9 and Power10 servers in the IBM Cloud environment, as there are no Power8 or earlier machines in the Power VS offering.
