7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
There are public disclosed vulnerabilities from GNU glibc that are used by the OS Images for IBM PureApplication System.
To address the vulnerabilities in response to CVE-2017-16997 and CVE-2018-1000001, IBM has released Version 2.2.5.3 for IBM PureApplication System, which includes IBM OS images for Red Hat Linux Systems based deployments.
CVEID: CVE-2017-16997 DESCRIPTION: GNU C Library could allow a local attacker to gain elevated privileges on the system, caused by a flaw in the elf/dl-load.c. By using a Trojan horse library, an attacker could exploit this vulnerability to gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136491> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-1000001 DESCRIPTION: Glibc could allow a local attacker to execute arbitrary code on the system, caused by a buffer underflow in the __realpath() function in stdlib/canonicalize.c. An attacker could exploit this vulnerability to execute arbitrary code on the system and obtain privileges.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137516> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
For IBM PureApplication:
IBM OS Image for Red Hat Linux Systems 3.0.8.0
IBM OS Image for Red Hat Linux Systems 3.0.9.0
For IBM PureApplication:
IBM PureApplication System V2.2.3.0
IBM PureApplication System V2.2.3.1
IBM PureApplication System V2.2.3.2
IBM PureApplication System V2.2.4.0
IBM PureApplication System V2.2.5.0
IBM PureApplication System V2.2.5.1
IBM PureApplication System V2.2.5.2
Note: Upgrade to at least IBM PureApplication System V2.2.5.0.
Visit IBM Fix Central to download the fixes for Linux.
Alternatively, for CVE-2018-1000001, the solution is to upgrade the IBM PureApplication System to the following fix level:
IBM PureApplication V2.2.5.3.
IBM recommends upgrading to a fixed, supported version of the product. Contact IBM for assistance.
Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159>
None
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C