9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
This bulletin addresses CVE-2016-2842 for IBM Sterling Connect:Express for Unix.
OpenSSL vulnerabilities were disclosed on March 1, 2016 by the OpenSSL Project. OpenSSL is used by IBM Sterling Connect:Express for Unix. IBM Sterling Connect:Express for Unix addressed the applicable CVEs with the details provided in:
An additional CVE, CVE-2016-2842, was also fixed but was not initially included in the March 1, 2016 OpenSSL Project announcement or in the associated security bulletin for this product. This bulletin only addresses CVE-2016-2842. See the bulletin linked above for the other CVEs that were addressed by the March 1, 2016 OpenSSL Project.
CVE-ID: CVE-2016-2842 Description: OpenSSL is vulnerable to a denial of service, caused by the failure to verify that a certain memory allocation succeeds by the doapr_outch function. A remote attacker could exploit this vulnerability using a specially crafted string to cause an out-of-bounds write or consume an overly large amount of resources.
CVSS Base Score: 7.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/111304 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
IBM Sterling Connect:Express for UNIX 1.4.6
- All versions prior to 1.4.6.1 iFix 146-113
IBM Sterling Connect:Express for UNIX 1.5.0.12
- All versions prior to 1.5.0.12 iFix 150-1206
VRMF
| Remediation
—|—
1.4.6| Contact your local IBM Remote Technical Support Center to request Connect:Express 1.4.6.1 iFix 146-114
1.5.0.12| Apply 1.5.0.12 iFix 150-13, available on Fix Central
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm sterling connect:express for unix | eq | 1.5 | |
ibm sterling connect:express for unix | eq | 1.4 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C