Lucene search

K
ibmIBM12F1CE1C14B7D672AF2B1C7512B6701A153854463DF39928282469070EC71BC9
HistoryOct 18, 2019 - 3:10 a.m.

Security Bulletin: Vulnerabilities in GNU C library (glibc), OpenSSL and BIND affect IBM Netezza Host Management

2019-10-1803:10:29
www.ibm.com
74
ibm netezza host management
gnu c library
openssl
bind
vulnerabilities
cve-2015-7547
cve-2016-0701
cve-2015-3197
cve-2015-8704
buffer overflow
man-in-the-middle attacks
denial of service
security fixes

EPSS

0.974

Percentile

99.9%

Summary

Vulnerabilites in GNU C library (glibc), OpenSSL and BIND affects IBM Netezza Host Management. IBM Netezza Host Management has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-7547**
DESCRIPTION:** GNU C Library (glibc) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the nss_dns backend for the getaddrinfo() function when performing dual A/AAAA DNS queries. By sending a specially crafted DNS response, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-0701**
DESCRIPTION:** OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by the use of weak Diffie-Hellman parameters based on unsafe primes that are generated and stored in X9.42-style parameter files. By performing multiple handshakes using the same private DH exponent, an attacker could exploit this vulnerability to conduct man-in-the-middle attacks.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110234 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID: CVE-2015-3197**
DESCRIPTION:** OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by an error related to the negotiation of disabled SSLv2 ciphers by malicious SSL/TLS clients. An attacker could exploit this vulnerability to conduct man-in-the-middle attacks.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110235 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID: CVE-2015-8704**
DESCRIPTION:** ISC BIND is vulnerable to a denial of service, caused by improper bounds checking in apl_42.c. By sending specially crafted Address Prefix List (APL) data, a remote authenticated attacker could exploit this vulnerability to trigger an INSIST assertion failure and cause the named process to terminate.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109701 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Netezza Host Management 5.4.2.0 (and prior releases)

Remediation/Fixes

IBM Netezza Host Management 5.4.3.0 Link to Fix Central

For_ IBM Netezza Host Management prior to the above mention releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._

Workarounds and Mitigations

None