Lucene search

IBM24F51DF1969D9211B46C4BB13BC3D6347F574A1D9E0B59C1CC22A8CB5A22EF26

HistoryJun 15, 2018 - 7:08 a.m.

Security Bulletin: Vulnerability in Open Source cURL Libcurl affects IBM PureApplication. (CVE-2017-1000257)

2018-06-1507:08:33

www.ibm.com

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

JSON

Summary

Vulnerability in Open Source cURL Libcurl affects IBM PureApplication.

Vulnerability Details

CVEID: CVE-2017-1000257**
DESCRIPTION:** cURL is vulnerable to a denial of service, caused by a buffer overread in the IMAP handler. By using a specially crafted IMAP FETCH response, a remote attacker could exploit this vulnerability to cause the application to crash or obtain sensitive information.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134033 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

IBM PureApplication System V2.1.0.0
IBM PureApplication System V2.1.0.1
IBM PureApplication System V2.1.0.2
IBM PureApplication System V2.1.0.0
IBM PureApplication System V2.1.1.0
IBM PureApplication System V2.1.2.0
IBM PureApplication System V2.1.2.1
IBM PureApplication System V2.1.2.2
IBM PureApplication System V2.1.2.3
IBM PureApplication System V2.1.2.4
IBM PureApplication System V2.2.0.0
IBM PureApplication System V2.2.1.0
IBM PureApplication System V2.2.2.0
IBM PureApplication System V2.2.2.1
IBM PureApplication System V2.2.2.2
IBM PureApplication System V2.2.3.0
IBM PureApplication System V2.2.3.1
IBM PureApplication System V2.2.3.2

Remediation/Fixes

The PureSystems® Managers. on IBM PureApplication System is affected. The solution is to upgrade the IBM PureApplication System to the following fix level:

IBM PureApplication System V2.2.0.0, V2.2.1.0, V2.2.2.0, V2.2.2.1, V2.2.2.2, V2.2.3.0, V2.2.3.1, V2.2.3.2

Upgrade to IBM PureApplication System V2.2.4.0. Contact IBM for assistance
For Power
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.3.2&platform=All&function=fixId&fixids=pure-appsys-power_2.2.4.0&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc
For Intel
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.3.2&platform=All&function=fixId&fixids=pure-appsys-intel_2.2.4.0&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc

IBM PureApplication System V2.1.0.0, V2.1.0.1, V2.1.0.2, V2.1.0.0, V2.1.1.0, V2.1.2.0, V2.1.2.1, V2.1.2.2, V2.1.2.3, V2.1.2.4:

Upgrade to IBM PureApplication System V2.2.4.0. Contact IBM for assistance

Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159>

Bluemix Local System is the evolution of the IBM PureApplication® System Intel™ based offerings.

Workarounds and Mitigations

None

CPENameOperatorVersion
pureapplication systemeq2.2.4.0
pureapplication systemeq2.2.3.2
pureapplication systemeq2.2.3.1
pureapplication systemeq2.2.3.0
pureapplication systemeq2.2.2.2
pureapplication systemeq2.2.2.1
pureapplication systemeq2.2.2.0
pureapplication systemeq2.2.1.0
pureapplication systemeq2.2.0.0

Name	Operator	Version
pureapplication system	eq	2.2.4.0
pureapplication system	eq	2.2.3.2
pureapplication system	eq	2.2.3.1
pureapplication system	eq	2.2.3.0
pureapplication system	eq	2.2.2.2
pureapplication system	eq	2.2.2.1
pureapplication system	eq	2.2.2.0
pureapplication system	eq	2.2.1.0
pureapplication system	eq	2.2.0.0