Lucene search

K
ibmIBM289F46B747F4C8F26E8F8D17623E34EDE1DB7595184FCDCC87FEDCC356AC9965
HistoryJun 16, 2018 - 10:03 p.m.

Security Bulletin: IBM Security Access Manager appliances are affected by kernel vulnerabilities

2018-06-1622:03:36
www.ibm.com
70

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Summary

The IBM Security Access Manager appliance has addressed the following vulnerabilities.

Vulnerability Details

CVEID: CVE-2016-9555**
DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds access error in sctp_sf_ootb(). By sending specially crafted data, a remote attacker could exploit this vulnerability to obtain a sensitive information or cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119185 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

CVEID: CVE-2016-9084**
DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper use of the kzalloc function by vfio_pci_intrs.c. A local attacker could exploit this vulnerability to trigger an integer overflow and cause a denial of service.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119406 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9083**
DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a mmeory corruption error in vfio_pci.c. A local attacker could exploit this vulnerability to bypass integer overflow checks and cause a denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119407 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7117**
DESCRIPTION:** Linux Kernel could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in __sys_recvmmsg function in net/socket.c. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117765 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-6828**
DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the failure to properly maintain certain SACK state in tcp_check_send_head function in include/net/tcp.h. By executing a specially-crafted SACK option, an attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118135 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected IBM Security Access Manager Appliance

|

Affected Versions

—|—
IBM Security Access Manager| 9.0.3.0

Remediation/Fixes

Product

|

VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—
IBM Security Access Manager| 9.0.3.0| IJ00229| Upgrade to 9.0.3.1:
9.0.3-ISS-ISAM-FP0001

Workarounds and Mitigations

None.

CPENameOperatorVersion
ibm security access managereq9.0.3

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C