9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.285 Low
EPSS
Percentile
96.2%
GnuTLS is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.
CVEID: CVE-2017-7869**
DESCRIPTION:** GnuTLS is vulnerable to a denial of service, caused by an integer overflow and heap-based buffer overflow in cdk_pkt_read function in opencdk/read-packet.c. An attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124668 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-7507**
DESCRIPTION:** GnuTLS is vulnerable to a denial of service, caused by a NULL pointer dereference while decoding a status response TLS extension with valid contents. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128676 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-5337**
DESCRIPTION:** GnuTLS could allow a remote attacker to execute arbitrary code on the system, caused by a stack or heap-based buffer overflow error. By sending a specially-crafted OpenPGP certificate, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120490 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-5336**
DESCRIPTION:** GnuTLS could allow a remote attacker to execute arbitrary code on the system, caused by a stack or heap-based buffer overflow error. By sending a specially-crafted OpenPGP certificate, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120489 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-5335**
DESCRIPTION:** GnuTLS could allow a remote attacker to execute arbitrary code on the system, caused by a stack or heap-based buffer overflow error. By sending a specially-crafted OpenPGP certificate, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120488 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-5334**
DESCRIPTION:** GnuTLS could allow a remote attacker to execute arbitrary code on the system, caused by a double-free memory error in gnutls_x509_ext_import_proxy() function. By sending a specially-crafted X.509 containing a Proxy Certificate Information extension, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120486 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2016-7444**
DESCRIPTION:** GnuTLS could allow a remote attacker to bypass security restrictions, caused by the failure to verify the serial length of an OCSP response by the gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c. An attacker could exploit this vulnerability using vectors involving trailing bytes left by gnutls_malloc to bypass the certificate validation mechanism.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117393 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Power HMC V8.8.6.0
Power HMC V8.8.7.0
The following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/>
Product
|
VRMF
|
APAR
|
Remediation/Fix
—|—|—|—
Power HMC
|
V8.8.6.0 SP2
|
MB04106
|
Power HMC
|
V8.8.7.0 x86
|
MB04110
|
Power HMC
|
V8.8.7.0 ppc
|
MB04112
|
None
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.285 Low
EPSS
Percentile
96.2%