IBM4ADB4E5C9333BE81F0AE13CD11FC54A35D37B3E631931FE894238620EDC74EB0Security Bulletin: File vulnerabilities affect IBM SmartClound Entry
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Summary
IBM SmartCloud Entry is vulnerable to file vulnerabilities, An attacker could exploit these vulnerabilities to use a specially-crafted file to consume all available CPU resources, cause a denial of service, execute arbitrary code, or cause applications/executables to crash.
CVE-2014-3538 CVE-2014-3587 CVE-2014-3710 CVE-2014-8116 CVE-2014-8117 CVE-2014-9620 CVE-2014-9653
Vulnerability Details
CVEID: CVE-2014-3538**
DESCRIPTION:** Fine Free file is vulnerable to a denial of service, caused by the failure to properly restrict the amount of data read during a regex search. A remote attacker could exploit this vulnerability using a specially-crafted file to consume all available CPU resources.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/94324 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3587**
DESCRIPTION:** PHP is vulnerable to a denial of service, caused by an incomplete fix related to the cdf_read_property_info() function. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95408 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3710**
DESCRIPTION:** PHP is vulnerable to a denial of service, caused by an out-of-bounds read in the donote() function. By persuading a victim to open a specially-crafted elf file, a remote attacker could exploit this vulnerability to cause the executable to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/98385 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-8116**
DESCRIPTION:** file(1) is vulnerable to a denial of service, caused by an error in the readelf.c file. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99418 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-8117**
DESCRIPTION:** file(1) is vulnerable to a denial of service, caused by an error in the softmagic.c file. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99419 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-9620**
DESCRIPTION:** File is vulnerable to a denial of service, caused by an error in the ELF parser. A remote attacker could exploit this vulnerability using an overly long string to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100258 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-9653**
DESCRIPTION:** file could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read in readelf.c. By persuading a victim to open a specially-crafted elf file, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100749 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Affected Products and Versions
IBM SmartCloud Entry 2.2.0 through 2.2.0.4 Appliance fix pack 6
IBM SmartCloud Entry 2.3.0 through 2.3.0.4 Appliance fix pack 6
IBM SmartCloud Entry 2.4.0 through 2.4.0.4 Appliance fix pack 6
IBM SmartCloud Entry 3.1.0 through 3.1.0.4 Appliance fix pack 21
IBM SmartCloud Entry 3.2.0 through 3.2.0.4 Appliance fix pack 21
Remediation/Fixes
Product
| VRMF| APAR| Remediation/First Fix
—|—|—|—
IBM SmartCloud Entry| 2.2| None| IBM SmartCloud Entry 2.2.0 Appliance fix pack 7:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Starter+Kit+for+Cloud&fixids=2.2.0.4-IBM-SKC_APPL-FP007&source=SAR
IBM SmartCloud Entry| 2.3| None| IBM SmartCloud Entry 2.3.0 Appliance fix pack 7:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE_APPL-FP007&source=SAR
IBM SmartCloud Entry| 2.4| None| IBM SmartCloud Entry 2.4.0 Appliance fix pack 7:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.4-IBM-SCE_APPL-FP007&source=SAR
IBM SmartCloud Entry| 3.1| None| IBM SmartCloud Entry 3.1.0 Appliance fix pack 22:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.1.0.4-IBM-SCE_APPL-FP22&source=SAR
IBM SmartCloud Entry| 3.2| None| IBM SmartCloud Entry 3.2.0 Appliance fix pack 22:
Workarounds and Mitigations
None
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P