Lucene search

IBM4BEF51413C12CE864265BE9A5C9D813EE885B535F60443DF7768AABF6F45930A

HistoryApr 19, 2024 - 2:34 p.m.

Security Bulletin: IBM i Access Client Solutions is vulnerable to an infinite loop or out of memory error due to vulnerabilities in Apache Commons Compress.

2024-04-1914:34:20

www.ibm.com

ibm i access client solutions

apache commons compress

infinite loop

out of memory error

upgrading

data transfer

xls

xlsx

vulnerability

denial of service

pack200 file

dump file

security bulletin

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.9%

JSON

Summary

IBM i Access Client Solutions is vulnerable to an infinite loop (CVE-2024-25710) or an out of memory error (CVE-2024-26308) in Apache Commons Compress. Apache Commons Compress is used by the Data Transfer feature of IBM i Access Client Solutions when transferring data from (reading) xls and xlsx file formats. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2024-25710
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283472 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-26308
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafted Pack200 file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283469 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM i Access Family	1.1.2 - 1.1.4,
1.1.4.3 - 1.1.9.4

Remediation/Fixes

The issue can be fixed by upgrading to version 1.1.9.5 or later. See IBM i Access Client Solutions updates for the latest version available.

Product(s)

Version(s)

Remediation/Fix/Instructions

—|—|—

IBM i Access Client Solutions

1.1.2 - 1.1.4,
1.1.4.3 - 1.1.9.4

The current version of IBM i Access Client Solutions is available at Downloads.

Or you may download it from the general IBM i software site at
Entitled Systems Support (ESS).

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmi_accessRange1.1.2≥

ibmi_accessRange≤1.1.4

CPENameOperatorVersion
ibm i access familyge1.1.2
ibm i access familyle1.1.4

CPE	Name	Operator	Version
	ibm i access family	ge	1.1.2
	ibm i access family	le	1.1.4

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.9%

JSON

Related for 4BEF51413C12CE864265BE9A5C9D813EE885B535F60443DF7768AABF6F45930A