Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM2FE75C77B1939E02728417DBBA0DCE8A4CCE4C37B26DCE19150587D0883B1840
HistoryJan 31, 2019 - 2:25 a.m.

Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in expat (CVE-2012-6702 CVE-2016-5300).

2019-01-3102:25:02
www.ibm.com
11

0.007 Low

EPSS

Percentile

81.0%

JSON

Summary

IBM Dynamic System Analysis (DSA) Preboot has addressed the following vulnerabilities in expat.

Vulnerability Details

Summary

IBM Dynamic System Analysis (DSA) Preboot has addressed the following vulnerabilities in expat.

Vulnerability Details

CVEID: CVE-2012-6702

Description: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, could provide weaker than expected security. An attacker could exploit this vulnerability using attack vectors involving use of the srand function to defeat cryptographic protection mechanisms.

CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114541&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2016-5300

Description: Expat XML parser is vulnerable to a denial of service, caused by the failure to use sufficient entropy for hash initialization. By using a specially-crafted identifiers in an XML document, a remote attacker could exploit this vulnerability to cause the application to crash.

CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114435&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected products and versions

Product Version
IBM Dynamic System Analysis (DSA) Preboot 9.6

Remediation/Fixes

Firmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/&gt;

Product Fix Version
IBM Dynamic System Analysis (DSA) Preboot
(ibm_fw_dsa_dsyte2w-9.65) dsyte2w-9.65

Workarounds and Mitigations

None.

References

Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Lenovo Product Security Advisories

Acknowledgement

None.

Change History
15 November, 2017: Original Version Published

  • The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an β€œindustry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES β€œAS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related

openvas 25
ibm 11
cloudfoundry 1
nessus 32
ubuntu 2
osv 4
ubuntucve 2
debian 3
mageia 1
archlinux 2
freebsd 2
fedora 3
f5 4
debiancve 2
cve 2
cvelist 2
nvd 2
prion 2
alpinelinux 2
veracode 2
slackware 2
gentoo 1
redhatcve 1
apple 4
suse 3
androidsecurity 1
oracle 2
openvas
openvas
Ubuntu: Security Advisory (USN-3010-1)
2016-06-21 00:00:00
Debian: Security Advisory (DSA-3597-1)
2016-06-06 00:00:00
Debian: Security Advisory (DLA-508-1)
2023-03-08 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in Expat affect Intel (R) Manycore Platform Software Stack (MPSS) for Linux and Windows
2019-01-31 02:25:02
Security Bulletin: A vulnerability in the agent core framework affects IBM Performance Management products
2018-06-17 15:40:54
Security Bulletin: Security vulnerabilities have been identified in IBM Tivoli Monitoring shipped with IBM Cloud Orchestrator Enterprise (CVE-2012-6702, CVE-2016-5300)
2018-06-17 22:33:28
cloudfoundry
cloudfoundry
USN-3010-1 Expat vulnerabilities | Cloud Foundry
2016-07-13 00:00:00
nessus
nessus
Ubuntu 14.04 LTS / 16.04 LTS : Expat vulnerabilities (USN-3010-1)
2016-06-21 00:00:00
Debian DSA-3597-1 : expat - security update
2016-06-08 00:00:00
FreeBSD : expat -- multiple vulnerabilities (c9c252f5-2def-11e6-ae88-002590263bf5)
2016-06-09 00:00:00
ubuntu
ubuntu
Expat vulnerabilities
2016-06-20 00:00:00
XML-RPC for C and C++ vulnerabilities
2016-06-20 00:00:00
osv
osv
expat - security update
2016-06-08 00:00:00
expat - security update
2016-06-07 00:00:00
CVE-2012-6702
2016-06-16 18:59:00
ubuntucve
ubuntucve
CVE-2016-5300
2016-06-06 00:00:00
CVE-2012-6702
2012-12-31 00:00:00
debian
debian
[SECURITY] [DSA 3597-1] expat security update
2016-06-07 16:44:57
[SECURITY] [DLA 508-1] expat security update
2016-06-08 09:29:13
[SECURITY] [DSA 3597-1] expat security update
2016-06-07 16:44:57
mageia
mageia
Updated expat packages fix security vulnerabilities
2016-06-17 08:58:14
archlinux
archlinux
expat: multiple issues
2016-06-13 00:00:00
lib32-expat: multiple issues
2016-06-13 00:00:00
freebsd
freebsd
expat -- multiple vulnerabilities
2016-03-18 00:00:00
Python 2.7 -- multiple vulnerabilities
2017-08-26 00:00:00
fedora
fedora
[SECURITY] Fedora 24 Update: expat-2.1.1-2.fc24
2016-06-21 19:27:49
[SECURITY] Fedora 23 Update: expat-2.1.1-2.fc23
2016-06-19 07:27:54
[SECURITY] Fedora 22 Update: expat-2.1.1-2.fc22
2016-07-12 02:27:38
f5
f5
SOL65460334 - Expat XML parser vulnerability CVE-2012-6702
2016-09-06 00:00:00
K65460334 : Expat XML parser vulnerability CVE-2012-6702
2016-09-06 00:00:00
K70938105 : Expat XML library vulnerability CVE-2016-5300
2016-10-26 00:00:00
debiancve
debiancve
CVE-2012-6702
2016-06-16 18:59:00
CVE-2016-5300
2016-06-16 18:59:10
cve
cve
CVE-2012-6702
2016-06-16 18:59:00
CVE-2016-5300
2016-06-16 18:59:10
cvelist
cvelist
CVE-2012-6702
2016-06-16 18:00:00
CVE-2016-5300
2016-06-16 18:00:00
nvd
nvd
CVE-2012-6702
2016-06-16 18:59:00
CVE-2016-5300
2016-06-16 18:59:10
prion
prion
Design/Logic Flaw
2016-06-16 18:59:00
Code injection
2016-06-16 18:59:00
alpinelinux
alpinelinux
CVE-2012-6702
2016-06-16 18:59:00
CVE-2016-5300
2016-06-16 18:59:10
veracode
veracode
Weak Cryptographic Protection
2016-06-08 07:23:46
Denial Of Service (DoS)
2017-02-01 06:06:40
slackware
slackware
[slackware-security] expat
2016-12-24 19:24:21
[slackware-security] python
2018-05-04 20:53:50
gentoo
gentoo
Expat: Multiple vulnerabilities
2017-01-11 00:00:00
redhatcve
redhatcve
CVE-2016-5300
2016-06-06 13:18:38
apple
apple
About the security content of iTunes 12.6
2017-03-21 00:00:00
About the security content of iTunes 12.6 - Apple Support
2017-03-22 07:40:40
About the security content of iTunes 12.6 for Windows
2017-03-21 00:00:00
suse
suse
Security update for SLES 12-SP2 Docker image (important)
2017-10-11 03:08:09
Security update for SLES 12-SP1 Docker image (important)
2017-10-11 03:07:32
Security update for SLES 12 Docker image (important)
2017-10-11 03:06:53
androidsecurity
androidsecurity
Android Security Bulletinβ€”November 2016
2016-11-07 00:00:00
oracle
oracle
CPU July 2018
2018-07-17 00:00:00
Oracle Critical Patch Update Advisory - October 2020
2020-10-20 00:00:00

0.007 Low

EPSS

Percentile

81.0%

JSON
Related for 2FE75C77B1939E02728417DBBA0DCE8A4CCE4C37B26DCE19150587D0883B1840
openvas25ibm11cloudfoundry1nessus32ubuntu2osv4ubuntucve2debian3mageia1archlinux2freebsd2fedora3f54debiancve2cve2cvelist2nvd2prion2alpinelinux2veracode2slackware2gentoo1redhatcve1apple4suse3androidsecurity1oracle2