IBM4D5D3AA8306686844D70A86B8E8C7FB203583BE55BB61154D3CA31923B789FF0Security Bulletin: IBM i is affected by networking BIND vulnerabilities CVE-2018-5744 CVE-2019-6465 and CVE-2018-5745.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.025 Low
EPSS
Percentile
90.0%
Summary
ISC BIND is vulnerable to these security vulnerabilities. IBM i has addressed these vulnerabilities.
This security bulletin has been updated, on June 21, 2019, as an additional IBM i PTF is available for IBM i 7.4.
Vulnerability Details
CVEID: CVE-2018-5745 DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by an error in the managed-keys feature. By replacing a trust anchor’'s keys with keys which use an unsupported algorithm, a remote authenticated attacker could exploit this vulnerability to cause an assertion failure.
CVSS Base Score: 4.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157386> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-6465 DESCRIPTION: ISC BIND could allow a remote attacker to obtain sensitive information, caused by the failure to properly apply controls for zone transfers to Dynamically Loadable Zones (DLZs) if the zones are writable. An attacker could exploit this vulnerability to request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157377> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-5744 DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by a failure to free memory when processing messages with a specific combination of EDNS options. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to exhaust all available memory resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157371> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
Releases 7.1, 7.2, 7.3, and 7.4 of IBM i are affected.
Remediation/Fixes
The issue can be fixed by applying a PTF to IBM i.
Releases 7.1, 7.2, 7.3, and 7.4 of IBM i are supported and will be fixed.
<https://www-945.ibm.com/support/fixcentral/>
The IBM i PTF numbers are:
Release 7.1 – SI69120
Release 7.2 – SI69118
Release 7.3 – SI69119
Release 7.4 – SI69622
Important note:IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
Workarounds and Mitigations
None
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.025 Low
EPSS
Percentile
90.0%