Security Bulletin: Vulnerabilities in Glibc affect IBM Security Network Controller (CVE-2015-5229, CVE-2015-8776)

Summary

Glibc vulnerabilities were found in IBM Security Network Controller. IBM Security Network Controller has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-5229
DESCRIPTION: GNU C Library (glibc) is vulnerable to a denial of service, caused by the return of memory areas containing non-zero bytes by the calloc implementation. A remote attacker could exploit this vulnerability to cause the application to crash or hang.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/110711&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-8776 DESCRIPTION: GNU C Library (glibc) is vulnerable to a denial of service. By passing out-of-range time values to the strftime function, a remote attacker could exploit this vulnerability to cause a segmentation fault or obtain sensitive information.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/110675&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

IBM Security Network Controller 1.0.X

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Security Network Controller| 1.0.X| Proventia NSC Update 14 (fw 1.0.4000) ** IBM Security Network Controller**| 1.0.X| Proventia NSC Update 14 (fw 1.0.4000M)

for IBM Security Network Controller products at Firmware versions 1.X

IBM recommends upgrading to 1.0.4000M/1.0.4000 depending on current firmware installed. Update 1.0.4000M and 1.0.4000 are the supported firmware release of the product.