IBM2475C1223999E8F317A78498A89C5066F0DD1F3BF1205206890E193135A95A25Security Bulletin: IBM Streams is affected by Open Source Apache Xerces-C XML parser Vulnerabilities (CVE-2016-4463)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
IBM Streams is affected by Open Source Apache Xerces-C XML parser Vulnerabilities. IBM Streams has addressed this vulnerability.
Vulnerability Details
CVEID: CVE-2016-4463 **DESCRIPTION: *Apache Xerces-C XML Parser library is vulnerable to a denial of service, caused by a stack-based buffer overflow when parsing a deeply nested DTD. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/114596 for more information
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
-
- IBM Streams Version 4.1.1.1 and earlier
- IBM InfoSphere Streams Version 4.0.1.2 and earlier
- IBM InfoSphere Streams Version 3.2.1.5 and earlier
- IBM InfoSphere Streams Version 3.1.0.7 and earlier
- IBM InfoSphere Streams Version 3.0.0.5 and earlier
- IBM InfoSphere Streams Version 2.0.0.4 and earlier
- IBM InfoSphere Streams Version 1.2.1.0
Remediation/Fixes
NOTE: Fix Packs are available on IBM Fix Central.
* **Version 4.1.1:**
* Apply [4.1.1 Fix Pack 2 (4.1.1.2) or higher.](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.1.1.0&platform=All&function=all>)
* **Version 4.0.1:**
* Apply [4.0.1 Fix Pack 3 (4.0.1.3) or higher.](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.0.1.0&platform=All&function=all>)
* **Version 3.2.1:**
* Apply [3.2.1 Fix Pack (3.2.1.6) or higher. ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=3.2.1.0&platform=All&function=all>)
* **Version 3.1.0:**
* Contact IBM Technical Support.
* **Version 3.0.0:**
* Contact IBM Technical Support.
* **Versions 1.2 and 2.0:**
* For version 1.x and 2.x, IBM recommends upgrading to a fixed, supported version/release/platform of the product. Customers who cannot upgrade and need to secure their installation should open a PMR with IBM Technical Support and request assistance securing their InfoSphere Streams system against the vulnerabilities identified in this Security Bulletin.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm streams | eq | 1.2 | |
| ibm streams | eq | 2.0 | |
| ibm streams | eq | 3.0 | |
| ibm streams | eq | 3.1 | |
| ibm streams | eq | 3.2 | |
| ibm streams | eq | 3.2.1 | |
| ibm streams | eq | 4.0 | |
| ibm streams | eq | 4.0.1 | |
| ibm streams | eq | 4.1 | |
| ibm streams | eq | 4.1.1 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P