InstallShield/installAnywhere generates installation executables which are vulnerable to a DLL-planting affecting the installation of IBM Informix CSDK and Dynamic Server on Windows.
CVEID: CVE-2016-2542 DESCRIPTION: Flexera InstallShield could allow a local attacker to gain elevated privileges on the system, caused by an untrusted search path. An attacker could exploit this vulnerability using a Trojan horse DLL in the current working directory of a setup-launcher executable file to gain elevated privileges on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110914 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2016-4560 DESCRIPTION: Flexera InstallAnywhere could allow a local attacker to gain elevated privileges on the system, caused by an untrusted search path. An attacker could exploit this vulnerability using a Trojan horse DLL in the current working directory of a setup-launcher executable file to gain elevated privileges on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113016 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
IBM Informix CSDK 3.50, 3.70, 4.10 for Windows
IBM Informix Dynamic Server 11.50, 11.70, 12.10 for Windows
| VRMF| Remediation/First Fix
—|—|—
Informix CSDK| 3.50, 3.70
4.10
| Use workaround or call Support.
Fixed in 4.10.xC7.
Informix Server| 11.50, 11.70
12.10
| Use workaround or call Support.
Fixed in 12.10.xC7.
Informix CSDK 3.50 and Informix Server 11.50 use InstallShield. For these products use the following steps for installation:
Informix CSDK 3.70, 4.10 and Informix Server 11.70, 12.10 use InstallAnywhere. For these products use the following steps for installation:
Note that this vulnerability is only at installation time and the currently running versions are not affected.