Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM045B04E2252E3B851D69AA785CAC9B0BD8A6AF9E04C95FB3C9A6AE0C081B07DB
HistoryJun 16, 2018 - 9:43 p.m.

Security Bulletin: Multiple vulnerabilities in file affect IBM Security Network Protection

2018-06-1621:43:49
www.ibm.com
15

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Summary

There are multiple vulnerabilities in file that is used by IBM Security Network Protection. These vulnerabilities include CVE-2014-3538, CVE-2014-3587, CVE-2014-3710, CVE-2014-8116, CVE-2014-8117, CVE-2014-9620, and CVE-2014-9653.

Vulnerability Details

CVEID: CVE-2014-3538**
DESCRIPTION:** Fine Free file is vulnerable to a denial of service, caused by the failure to properly restrict the amount of data read during a regex search. A remote attacker could exploit this vulnerability using a specially-crafted file to consume all available CPU resources.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/94324 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-3587**
DESCRIPTION:** PHP is vulnerable to a denial of service, caused by an incomplete fix related to the cdf_read_property_info() function. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95408 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-3710**
DESCRIPTION:** PHP is vulnerable to a denial of service, caused by an out-of-bounds read in the donote() function. By persuading a victim to open a specially-crafted elf file, a remote attacker could exploit this vulnerability to cause the executable to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/98385 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-8116**
DESCRIPTION:** file(1) is vulnerable to a denial of service, caused by an error in the readelf.c file. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99418 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-8117**
DESCRIPTION:** file(1) is vulnerable to a denial of service, caused by an error in the softmagic.c file. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99419 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-9620**
DESCRIPTION:** File is vulnerable to a denial of service, caused by an error in the ELF parser. A remote attacker could exploit this vulnerability using an overly long string to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100258 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-9653**
DESCRIPTION:** file could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read in readelf.c. By persuading a victim to open a specially-crafted elf file, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100749 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Products and Versions

IBM Security Network Protection 5.3.1
IBM Security Network Protection 5.3.2

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Security Network Protection| Firmware version 5.3.1| Download Firmware 5.3.1.10 from IBM Security License Key and Download Center and upload and install via the Available Updates page of the Local Management Interface.
IBM Security Network Protection| Firmware version 5.3.2| Install Firmware 5.3.2.4 from IBM Security License Key and Download Center and upload and install via the Available Updates page of the Local Management Interface.

Workarounds and Mitigations

None

Related

redhat 2
centos 2
nessus 58
ibm 2
openvas 49
oraclelinux 2
fedora 3
securityvulns 4
amazon 4
freebsd_advisory 1
ubuntu 3
freebsd 1
osv 8
f5 4
debian 13
mageia 6
gentoo 2
cloudfoundry 1
cve 5
ubuntucve 6
prion 6
veracode 7
altlinux 1
debiancve 5
checkpoint_advisories 2
archlinux 2
redhat
redhat
(RHSA-2016:0760) Moderate: file security, bug fix, and enhancement update
2016-05-10 06:42:18
(RHSA-2015:2155) Moderate: file security and bug fix update
2015-11-19 14:41:30
centos
centos
file, python security update
2016-05-16 10:13:44
file, python security update
2015-11-30 19:28:42
nessus
nessus
CentOS 6 : file (CESA-2016:0760)
2016-05-17 00:00:00
Oracle Linux 6 : file (ELSA-2016-0760)
2016-05-16 00:00:00
RHEL 6 : file (RHSA-2016:0760)
2016-05-12 00:00:00
ibm
ibm
Security Bulletin: File vulnerabilities affect IBM SmartClound Entry
2020-07-19 00:49:12
Security Bulletin: Multiple vulnerabilities in file affect PowerKVM
2018-06-18 01:30:43
openvas
openvas
RedHat Update for file RHSA-2016:0760-01
2016-05-11 00:00:00
Amazon Linux: Security Advisory (ALAS-2015-497)
2015-09-08 00:00:00
Fedora Update for file FEDORA-2015-2020
2015-02-19 00:00:00
oraclelinux
oraclelinux
file security, bug fix, and enhancement update
2016-05-12 00:00:00
file security and bug fix update
2015-11-23 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: file-5.22-2.fc21
2015-02-18 05:55:37
[SECURITY] Fedora 20 Update: file-5.19-7.fc20
2014-10-29 11:03:54
[SECURITY] Fedora 21 Update: file-5.19-7.fc21
2014-11-10 06:44:48
securityvulns
securityvulns
libmagic / file / fileinfo / PHP security vulnerabilities
2015-03-18 00:00:00
FreeBSD Security Advisory FreeBSD-SA-14:28.file
2014-12-10 00:00:00
[SECURITY] [DSA 3196-1] file security update
2015-03-18 00:00:00
amazon
amazon
Medium: file
2015-03-23 08:32:00
Medium: file
2014-11-22 14:34:00
Medium: php54
2014-11-22 13:58:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-14:28.file
2014-12-10 00:00:00
ubuntu
ubuntu
file vulnerabilities
2015-02-04 00:00:00
file vulnerabilities
2018-06-14 00:00:00
file vulnerability
2014-10-03 00:00:00
freebsd
freebsd
file -- multiple vulnerabilities
2014-12-16 00:00:00
osv
osv
file - security update
2015-01-08 00:00:00
file - security update
2015-01-09 00:00:00
file - security update
2014-09-10 00:00:00
f5
f5
SOL16347 - Linux file utility vulnerabilities CVE-2014-8116 and CVE-2014-8117
2015-04-09 00:00:00
K16347 : Linux file utility vulnerabilities CVE-2014-8116 and CVE-2014-8117
2015-07-22 00:00:00
K15898 : PHP vulnerability CVE-2014-3710
2014-12-08 00:00:00
debian
debian
[SECURITY] [DLA 131-1] file security update
2015-01-09 07:25:54
[SECURITY] [DSA 3121-1] file security update
2015-01-08 18:46:52
[SECURITY] [DLA 50-1] file security update
2014-09-10 15:52:03
mageia
mageia
Updated file packages fix security vulnerabilities
2014-12-19 18:06:35
Updated php packages fix security vulnerabilities
2015-01-28 00:08:29
Updated [package] package fix CVE-2014-3710
2014-10-31 18:53:38
gentoo
gentoo
file: Multiple vulnerabilities
2017-01-17 00:00:00
file: Denial of service
2014-12-27 00:00:00
cloudfoundry
cloudfoundry
USN-3686-1: file vulnerabilities | Cloud Foundry
2018-06-20 00:00:00
cve
cve
CVE-2014-9653
2015-03-30 10:59:00
CVE-2014-9620
2015-01-21 18:59:00
CVE-2014-8117
2014-12-17 19:59:00
ubuntucve
ubuntucve
CVE-2014-9620
2015-01-21 00:00:00
CVE-2014-9653
2015-03-30 00:00:00
CVE-2014-8116
2014-12-17 00:00:00
prion
prion
Design/Logic Flaw
2015-01-21 18:59:00
Design/Logic Flaw
2015-03-30 10:59:00
Design/Logic Flaw
2014-12-17 19:59:00
veracode
veracode
Denial Of Service (DoS)
2019-05-02 05:29:34
Denial Of Service (DoS)
2019-05-02 05:29:34
Denial Of Service (DoS)
2019-05-02 05:29:34
altlinux
altlinux
Security fix for the ALT Linux 8 package file version 4.26-alt13
2017-03-28 00:00:00
debiancve
debiancve
CVE-2014-9653
2015-03-30 10:59:00
CVE-2014-8117
2014-12-17 19:59:00
CVE-2014-9620
2015-01-21 18:59:00
checkpoint_advisories
checkpoint_advisories
PHP Fileinfo cdf_read_property_info Denial of Service (CVE-2014-3587)
2014-10-26 00:00:00
PHP Fileinfo cdf_read_property_info Denial of Service - ver 2 (CVE-2014-3587)
2014-11-12 00:00:00
archlinux
archlinux
file: denial of service through out-of-bounds read
2014-11-12 00:00:00
php: denial of service
2014-11-13 00:00:00

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON
Related for 045B04E2252E3B851D69AA785CAC9B0BD8A6AF9E04C95FB3C9A6AE0C081B07DB
redhat2centos2nessus58ibm2openvas49oraclelinux2fedora3securityvulns4amazon4freebsd_advisory1ubuntu3freebsd1osv8f54debian13mageia6gentoo2cloudfoundry1cve5ubuntucve6prion6veracode7altlinux1debiancve5checkpoint_advisories2archlinux2