Security Bulletin: Vulnerabilities in zlib affect IBM Sterling Connect:Direct for Microsoft Windows (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)

Summary

Vulnerabilities were reported in zlib. zlib is used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2016-9840**
DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120508 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9841**
DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120509 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9842**
DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120510 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9843**
DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120511 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Sterling Connect:Direct for Microsoft Windows 4.6.0.0 through 4.6.0.6_iFix014
IBM Sterling Connect:Direct for Microsoft Windows 4.7.0.0 through 4.7.0.4_iFix026

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
IBM Sterling Connect:Direct for Microsoft Windows| 4.6.0| IT19769| Apply 4.6.0.6_iFix015, available on Fix Central
IBM Sterling Connect:Direct for Microsoft Windows| 4.7.0| IT19769| Apply 4.7.0.5, available on Fix Central
For older versions/releases IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None