Lucene search

K
ibmIBM4DBFF6284064924AB7A8A0681BAC6EA522648C6A5FD896B1D18E2635D6643B24
HistoryJun 17, 2018 - 5:17 a.m.

Security Bulletin: Rational Systems Tester is affected by Libxml2 vulnerabilities CVE-2016-9318, CVE-2017-5969, CVE-2017-7375 and CVE-2017-8872

2018-06-1705:17:24
www.ibm.com
6

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Summary

A new Libxml2 vulnerability was disclosed by the Libxml2 Project. Libxml2 is used by Rational Systems Tester. Rational Systems Tester has addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2016-9318**
DESCRIPTION:** Llibxml2 could allow a remote attacker to obtain sensitive information, caused by failure to offer a flag directly indicating the status of current document. By using a specially-crafted document to conduct a XML external entity (XXE) attack, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119018 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-7375**
DESCRIPTION:** libxml2 could allow a remote attacker to obtain sensitive information, caused by missing validation for external entities in xmlParsePEReference. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128275 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L)

CVEID: CVE-2017-5969**
DESCRIPTION:** libxml2 is vulnerable to a denial of service, caused by a NULL pointer dereference in the xmlSaveDoc functionality when used in recover mode. By persuading a victim to open a specially crafted XML document, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128274 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-8872**
DESCRIPTION:** libxml2 is vulnerable to a buffer overflow, caused by a a buffer-over-read flaw in the htmlParseTryOrFinish function in HTMLparser.c. By sending a specially-crafted request, a local attacker could overflow a buffer and cause a denial of service condition or obtain sensitive information on the system.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125890 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Rational Systems Tester 3.3, 3.3.0.1, 3.3.0.2, 3.3.0.3, 3.3.0.4, 3.3.0.5, 3.3.0.6, 3.3.0.7, 3.3.0.7 Interim Fix 1, 3.3.0.7 Interim Fix 2, 3.3.0.7 Interim Fix 3, 3.3.0.7 Interim Fix 4, 3.3.0.7 Interim Fix 5

Remediation/Fixes

Upgrade to Rational Systems Tester Interim Fix 6 for 3.3.0.7

Workarounds and Mitigations

None

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P