IBM441E5A75C157FB63BEB435EE7C8DC42622360C6AF4CD1F02C86A4C02D289DBEDSecurity Bulletin: Public disclosed GNU glibc vulnerabilities used by IBM OS Images for RedHat Linux in IBM PureApplication Systems (CVE-2017-16997 CVE-2018-1000001)
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Summary
There are public disclosed vulnerabilities from GNU glibc that are used by the OS Images for IBM PureApplication System.
To address the vulnerabilities in response to CVE-2017-16997 and CVE-2018-1000001, IBM has released Version 2.2.5.3 for IBM PureApplication System, which includes IBM OS images for Red Hat Linux Systems based deployments.
Vulnerability Details
CVEID: CVE-2017-16997 DESCRIPTION: GNU C Library could allow a local attacker to gain elevated privileges on the system, caused by a flaw in the elf/dl-load.c. By using a Trojan horse library, an attacker could exploit this vulnerability to gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136491> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-1000001 DESCRIPTION: Glibc could allow a local attacker to execute arbitrary code on the system, caused by a buffer underflow in the __realpath() function in stdlib/canonicalize.c. An attacker could exploit this vulnerability to execute arbitrary code on the system and obtain privileges.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137516> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
For IBM PureApplication:
IBM OS Image for Red Hat Linux Systems 3.0.8.0
IBM OS Image for Red Hat Linux Systems 3.0.9.0
For IBM PureApplication:
IBM PureApplication System V2.2.3.0
IBM PureApplication System V2.2.3.1
IBM PureApplication System V2.2.3.2
IBM PureApplication System V2.2.4.0
IBM PureApplication System V2.2.5.0
IBM PureApplication System V2.2.5.1
IBM PureApplication System V2.2.5.2
Remediation/Fixes
Note: Upgrade to at least IBM PureApplication System V2.2.5.0.
Visit IBM Fix Central to download the fixes for Linux.
Alternatively, for CVE-2018-1000001, the solution is to upgrade the IBM PureApplication System to the following fix level:
IBM PureApplication V2.2.5.3.
IBM recommends upgrading to a fixed, supported version of the product. Contact IBM for assistance.
Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159>
Workarounds and Mitigations
None
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C