Lucene search

IBM190B29F55D96F00ABD09FBFA014A244871553746075BFE6A2D639E4EE90FE46C

HistoryJun 15, 2018 - 7:08 a.m.

Security Bulletin: OpenSource GNU glibc Vulnerabilities which is used by IBM PureApplication Systems (CVE-2015-8776)

2018-06-1507:08:13

www.ibm.com

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

JSON

Summary

A vulnerability in Open Source GNU glibc affects the PureSystems® Managers used by IBM PureApplication System.

Vulnerability Details

CVEID: CVE-2015-8776**
DESCRIPTION:** GNU C Library (glibc) is vulnerable to a denial of service. By passing out-of-range time values to the strftime function, a remote attacker could exploit this vulnerability to cause a segmentation fault or obtain sensitive information.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110675 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

IBM PureApplication System V2.2.0.0
IBM PureApplication System V2.2.1.0
IBM PureApplication System V2.2.2.0
IBM PureApplication System V2.2.2.1
IBM PureApplication System V2.2.2.2
IBM PureApplication System V2.2.3.0
IBM PureApplication System V2.2.3.1
IBM PureApplication System V2.2.3.2

Remediation/Fixes

The solution is to upgrade the IBM PureApplication System to the following fix level:

IBM PureApplication V2.2.0.0, V2.2.1.0, V2.2.2.0, V2.2.2.1, V2.2.2.2, V2.2.3.0, V2.2.3.1, V2.2.3.2, V2.2.4.0

Upgrade to IBM PureApplication V2.2.5.0. Contact IBM for assistance.

PureApplication Software:
Linux:
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.5.0&platform=All&function=fixId&fixids=pureappsw_content_2250&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc

PureApplication System:
AIX
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.5.0&platform=All&function=fixId&fixids=Group_Content_PureApplicationSystem_2.2.5.0_Power&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc

Linux
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.5.0&platform=All&function=fixId&fixids=Group_Content_PureApplicationSystem_2.2.5.0_Intel&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc

Intel
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.5.0&platform=All&function=fixId&fixids=Group_Base_RedHat_PureApplicationSystem_2.2.5.0_Intel&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc

Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159>

Workarounds and Mitigations

None

CPENameOperatorVersion
pureapplication systemeq2.2.3.2
pureapplication systemeq2.2.3.1
pureapplication systemeq2.2.3.0
pureapplication systemeq2.2.2.2
pureapplication systemeq2.2.2.1
pureapplication systemeq2.2.2.0
pureapplication systemeq2.2.1.0
pureapplication systemeq2.2.0.0
pureapplication systemeq2.1.2.4
pureapplication systemeq2.1.2.3

Name	Operator	Version
pureapplication system	eq	2.2.3.2
pureapplication system	eq	2.2.3.1
pureapplication system	eq	2.2.3.0
pureapplication system	eq	2.2.2.2
pureapplication system	eq	2.2.2.1
pureapplication system	eq	2.2.2.0
pureapplication system	eq	2.2.1.0
pureapplication system	eq	2.2.0.0
pureapplication system	eq	2.1.2.4
pureapplication system	eq	2.1.2.3