Security Bulletin: IBM Flex System Manager (FSM) is affected by a vulnerability in sqlite (CVE-2016-6153)

Summary

A security vulnerability has been discovered in sqlite that is embedded in the IBM FSM. This bulletin addresses this vulnerability.

Vulnerability Details

CVEID: CVE-2016-6153**
DESCRIPTION:** SQLite could allow a local attacker to gain elevated privileges on the system, caused by the creation of temporary files in directory with insecure permissions. An attacker could exploit this vulnerability to obtain leaked data.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114715 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Flex System Manager 1.3.4.x
Flex System Manager 1.3.3.x
Flex System Manager 1.3.2.x

Remediation/Fixes

IBM recommends updating the FSM using the instructions referenced in this table.

Product |

VRMF |

APAR |

Remediation
—|—|—|—
Flex System Manager|

1.3.4.x |

IT17534

| Install fsmfix1.3.4.0_IT17534_IT17536_IT17537_IT17653
Flex System Manager|

1.3.3.x |

IT17534

| Install fsmfix1.3.3.0_IT17534_IT17536_IT17537_IT17653
Flex System Manager|

1.3.2.x |

IT17534

| Install fsmfix1.3.2.0_IT17534_IT17536_IT17537_IT17653

For a complete list of FSM security bulletins refer to this technote: http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex--NULL--E

For 1.1.x.x, 1.2.x.x, 1.3.0.x and 1.3.1.x IBM recommends upgrading to a fixed, supported version/release of the product.

Workarounds and Mitigations

None