Lucene search

K
ibmIBM20C4435BAC00C098E35FC9558CC32D917A8080A382905ACB9CA97666DEE3A1C4
HistoryDec 18, 2019 - 2:26 p.m.

Security Bulletin: IBM i is affected by DHCP vulnerabilities (CVE-2015-8605 and CVE-2016-2774).

2019-12-1814:26:38
www.ibm.com
8

6.5 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

Summary

IBM i DHCP is vulnerable to several security vulnerabilities.

Vulnerability Details

CVEID: CVE-2015-8605 DESCRIPTION: ISC DHCP is vulnerable to a denial of service, caused by the failure to properly check the UDP payload length. By sending a specially crafted packet with an invalid IPv4 UDP length field, a remote attacker from within the local network could exploit this vulnerability to cause the DHCP server, client, or relay program to terminate.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-2774 DESCRIPTION: ISC DHCP is vulnerable to a denial of service, caused by the failure to limit the number of open TCP connections to the ports for inter-process communications and control. By opening a large number of TCP connections, a remote attacker from within the local network could exploit this vulnerability to become unresponsive or consume all available sockets.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111319 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Releases 7.1, 7.2 and 7.3 of IBM i are affected.

Remediation/Fixes

The issue can be fixed by applying a PTF to IBM i.

Releases 7.1, 7.2 and 7.3 of IBM i are supported and will be fixed.

http://www-933.ibm.com/support/fixcentral/

The IBM i PTF numbers are:

Release 7.1 – SI60082 Release 7.2 – SI60110 Release 7.3 – SI60111

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None known

CPENameOperatorVersion
ibm ieq7.1.0

6.5 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

Related for 20C4435BAC00C098E35FC9558CC32D917A8080A382905ACB9CA97666DEE3A1C4