Security Bulletin: Vulnerabilities in Libxml2 affect System x Integrated Management Module (IMM) (CVE-2014-0191, CVE-2014-3660)

Summary

Security vulnerabilities have been discovered in libxml2 which affect System x Integrated Management Module (IMM).

Vulnerability Details

Summary

Security vulnerabilities have been discovered in libxml2 which affect System x Integrated Management Module (IMM).

Vulnerability Details

CVE-ID: CVE-2014-0191

Description: Libxml2 is vulnerable to a denial of service, caused by the expansion of internal entities within the xmlParserHandlePEReference() function. A remote attacker could exploit this vulnerability using a specially-crafted XML document containing malicious attributes to consume all available CPU resources.

CVSS Base Score: 5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/93092&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2014-3660

Description: Libxml2 is vulnerable to a denial of service, caused by the expansion of recursive entities. A remote attacker could exploit this vulnerability using a specially-crafted XML document processed by an application using libxml2 to consume all available CPU resources.

CVSS Base Score: 5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/97656&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected products and versions

The following IMM code levels may exhibit this issue:

• All versions 1.00 to 1.47

The following platforms may be affected:

• System x3500 M2, Type 7839, any model
• System x3500 M3, Type 7380, any model
• System x3550 M2, Type 4198, any model
• System x3550 M2, Type 7946, any model
• System x3550 M3, Type 4254, any model
• System x3550 M3, Type 7944, any model
• System x3630 M3, Type 7377, any model
• System x3650 M2, Type 4199, any model
• System x3650 M2, Type 7947, any model
• System x3650 M3, Type 4255, any model
• System x3650 M3, Type 5454, any model
• System x3650 M3, Type 7945, any model
• System x3690 X5, Type 7147, any model
• System x3690 X5, Type 7148, any model
• System x3690 X5, Type 7149, any model
• System x3690 X5, Type 7192, any model
• System x3850 X5, Type 7143, any model
• System x3850 X5, Type 7145, any model
• System x3850 X5, Type 7146, any model
• System x3850 X5, Type 7191, any model
• System x3950 X5, Type 7143, any model
• System x3950 X5, Type 7145, any model
• System x iDataPlex dx360 M2, Types 6380, any model
• System x iDataPlex dx360 M2, Types 7321, any model
• System x iDataPlex dx360 M2, Types 7323, any model
• System x iDataPlex dx360 M3, Types 6391, any model

Remediation/Fixes

It’s recommended to update IMM to 1.48 YUOOG8C or later. Firmware updates are available through IBM Fix Central: <http://www.ibm.com/support/fixcentral&gt;.

Workarounds and Mitigations

None.