IBM2006BF3E7A57A8F998359CDD8EFFEC59468384A30DA831945C4D826D1F67EFE9Security Bulletin: A vulnerability in the Apache Xerces-C XML Parser library affects IBM Performance Management products (CVE-2016-4463)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
The Apache Xerces-C XML Parser library is vulnerable to a denial of service, caused by a stack-based buffer overflow when parsing a deeply nested DTD. A remote attacker could exploit this vulnerability to cause a denial of service.
Vulnerability Details
CVEID: CVE-2016-4463**
DESCRIPTION:** Apache Xerces-C XML Parser library is vulnerable to a denial of service, caused by a stack-based buffer overflow when parsing a deeply nested DTD. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114596 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
IBM Monitoring 8.1.3
IBM Application Diagnostics 8.1.3
IBM Application Performance Management 8.1.3
IBM Application Performance Management Advanced 8.1.3
IBM Cloud Application Performance Management
Remediation/Fixes
Product
| Product
VRMF| Remediation
—|—|—
IBM Monitoring
IBM Application Diagnostics
IBM Application Performance Management
IBM Application Performance Management Advanced
| 8.1.3| The vulnerability can be remediated by applying the Core Framework patch 8.1.3.0-IBM-IPM-CORE-FRAMEWORK-IPM-IF0002 to all systems where Performance Management agents are installed:
http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003263
If you use the Response Time agent, the vulnerability can be remediated by applying the Response Time agent patch 8.1.3.0-IBM-IPM-RT-AGENT-IF0002 to all systems where this agent is installed:
http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003077
IBM Cloud Application Performance Management| N/A| If your subscription was upgraded to version 8.1.3.2, upgrade your existing Performance Management agents to the version 8.1.3.2 agent packages.
If your subscription is not yet upgraded to version 8.1.3.2, the vulnerability can be remediated by applying the Core Framework patch 8.1.3.1.0-IBM-IPM-CORE-FRAMEWORK-IPM-IF0001 to all systems where Performance Management agents are installed:
http://dbluewas1.pok.ibm.com/support/docview.wss?rs=0&uid=isg400001574
Apply the Response Time agent patch 8.1.3.0-IBM-IPM-RT-AGENT-IF0002 to all systems where this agent is installed:
http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003077
Workarounds and Mitigations
None.
| CPE | Name | Operator | Version |
|---|---|---|---|
| tivoli monitoring | eq | 8.1.3 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P