Lucene search

K
ibmIBM47CF752F038BAF5471EF726C942ED5C2FE4CDF652CC5DB23AE7D21F58CDBD9EF
HistoryJun 17, 2018 - 3:34 p.m.

Security Bulletin: Vulnerabilities in Open Source Expact affect Tivoli Network Manager IP Edition

2018-06-1715:34:31
www.ibm.com
16

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

Summary

Vulnerabilities in Open Source Expat affect Tivoli Network Manager IP Edition. Tivoli Network Manager IP Edition has addressed the applicable CVEs

Vulnerability Details

CVEID: CVE-2012-6702**
DESCRIPTION:** Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, could provide weaker than expected security. An attacker could exploit this vulnerability using attack vectors involving use of the srand function to defeat cryptographic protection mechanisms.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114541 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2016-5300**
DESCRIPTION:** Expat XML parser is vulnerable to a denial of service, caused by the failure to use sufficient entropy for hash initialization. By using a specially-crafted identifiers in an XML document, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114435 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2012-0876**
DESCRIPTION:** Expat is vulnerable to a denial of service, caused by insufficient randomization of hash data structures. By sending multiple specially-crafted HTTP POST requests to an affected application containing conflicting hash key values, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73868 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2012-1147**
DESCRIPTION:** Expat is vulnerable to a denial of service, caused by a resource leak in readfilemap.c when handling XML data. A remote attacker could exploit this vulnerability to cause the application using the vulnerable XML parsing library to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73866 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2012-1148**
DESCRIPTION:** Expat is vulnerable to a denial of service, caused by a memory leak in poolGrow when handling XML data. A remote attacker could exploit this vulnerability to cause the application using the vulnerable XML parsing library to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73867 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

Tivoli Network Manager IP Edition 3.9.0 - 3.9.0.5
Tivoli Network Manager IP Edition 4.1.1 - 4.1.1.1
Tivoli Network Manager IP Edition 4.2.0 - 4.2.0.1
Impact: Alcatel5620SamSoapFindToFile Collector, Collector Finder and Collector Helper use Expat XML Parser library

Remediation/Fixes


AffectedProduct VRMF APAR Remediation/First Fix
Tivoli Network Manager IP Edition 3.9.0.5 IV89573 Tivoli Network Manager IP Edition 3.9.0 FP5 Expat 2.2.0 Interim Fix
Tivoli Network Manager IP Edition 4.1.1.1 IV89573 Tivoli Network Manager IP Edition 4.1.1 FP1 Expat 2.2.0 Interim Fix
Tivoli Network Manager IP Edition 4.2.0.2 IV89573 Tivoli Network Manager IP Edition 4.2.0 Expat 2.2.0 Fix Pack 2

Workarounds and Mitigations

None

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

Related for 47CF752F038BAF5471EF726C942ED5C2FE4CDF652CC5DB23AE7D21F58CDBD9EF