PT-2021-21249 · Openpower · Openpower
Published
2021-10-22
·
Updated
2021-10-27
·
CVE-2021-36357
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenPOWER version 2.6
Description
An issue was discovered in the OpenPOWER firmware. The
unpack timestamp() function calls le32 to cpu() for endian conversion of a uint16 t "year" value, resulting in a type mismatch that can truncate a higher integer value to a smaller one, and bypass a timestamp check.Recommendations
For OpenPOWER version 2.6, the fix is to use the right endian conversion function.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openpower