Security Bulletin: A vulnerability in glibc affects IBM Flex System Manager (FSM) (CVE-2017-1000366)

Summary

A vulnerability has been discovered in glibc that is embedded in FSM. This bulletin addresses that issue.

Vulnerability Details

CVEID: CVE-2017-1000366**
DESCRIPTION:** Glibc could allow a local attacker to execute arbitrary code on the system, caused by a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack. By using specially-crafted crafted LD_LIBRARY_PATH values, an attacker could exploit this vulnerability to trigger a stack memory allocation flaw and execute arbitrary code on the system.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127452 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Flex System Manager 1.3.4.0
Flex System Manager 1.3.3.0
Flex System Manager 1.3.2.1
Flex System Manager 1.3.2.0

Remediation/Fixes

IBM recommends updating the FSM and all affected remote Common Agent Services (CAS) endpoints using the instructions referenced in this table.

For all other VRMF IBM recommends upgrading to a fixed, supported version/release of the product.

Note: Installation of the fixes provided in the technote will install a cumulative fix package that will update the version of the FSM. Reference the technote for more details.

You should verify applying this fix does not cause any compatibility issues. The fix may disable older encrypted protocols by default.

IBM recommends that you review your entire environment to identify other areas where you have enabled weak encryption and take appropriate mitigation and remediation actions.

For a complete listing of FSM security iFixes go to this technote: http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex--NULL--E

Workarounds and Mitigations

None