Security Bulletin: Multiple vulnerabilities in GNU C library (glibc) affects IBM SONAS

Summary

IBM SONAS is shipped with GNU glibc, for which a fix is available for a security vulnerability.

Vulnerability Details

A GNU C library denial of service vulnerability affects IBM SONAS.

CVEID: CVE-2017-15804 DESCRIPTION: GNU C Library (aka glibc or libc6) is vulnerable to a buffer overflow, caused by improper bounds checking by glob function in glob.c. By using a specially-crafted file, a local attacker could overflow a buffer.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133996&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-15671 DESCRIPTION: GNU C Library is vulnerable to a denial of service, caused by a memory leak in the glob function in glob.c. A remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133909&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-15670 DESCRIPTION: GNU C Library is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the glob function in glob.c. By sending a specially-crafted string, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133915&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2011-5320 DESCRIPTION: GNU glibc is vulnerable to a denial of service, caused by a flaw in the scanf and related functions. By using a large string of os, a local attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133667&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM SONAS
The product is affected when running a code releases 1.5.0.0 to 1.5.2.9. The product running unsupported code releases 1.4 or earlier are also affected.

Remediation/Fixes

A fix for these issues is in version 1.5.2.10 of IBM SONAS. Customers running an affected version of SONAS should upgrade to 1.5.2.10 or a later version, so that the fix gets applied.

Please contact IBM support for assistance in upgrading your system.

Systems running an unsupported version (v1.4 or earlier) should be upgraded to the current release containing the security fixes.

Workarounds and Mitigations

Mitigation(s) : Although IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.