Security Bulletin: IBM Software Delivery and Lifecycle Patterns for the glibc vulnerabilities (CVE-2014-5119)

Summary

IBM Software Delivery and Lifecycle Patterns requires client action for the glibc vulnerabilities.
The GNU C Library (glibc) is vulnerable to a heap-based buffer overflow, a local attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with root privileges.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

IBM Software Delivery and Lifecycle Patterns ships with Red Hat Enterprise Linux 6.4 which is vulnerable to CVE-2014-5119.

**CVE ID:**CVE-2014-5119

**Description:**The GNU C Library (glibc) is vulnerable to a heap-based buffer overflow, caused by an off-by-one error in the __gconv_translit_find() function. By setting the CHARSET environment variable to a malicious value, a local attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with root privileges.

CVSS Base Score: 7.2 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95044&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Affected Products and Versions

IBM Software Delivery and Lifecycle Patterns 1.0 and 1.0.1

Remediation/Fixes

IBM strongly recommends you should contact Red Hat to obtain and install fixes for Red Hat Enterprise Linux 6.4.

Alternatively, if you have access to a Yum update repository, you may update the glibc library by using the command: yum update glibc

Workarounds and Mitigations

None