Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM4F86FCE6A6F4F4C425A9B8B38A5DA84E886B0D17EA3E74948CB4061B7FE23597
HistorySep 10, 2021 - 2:15 p.m.

Security Bulletin: Multiple vulnerabilities in ICU libraries used in IBM DataPower Gateway

2021-09-1014:15:27
www.ibm.com
44

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.026 Low

EPSS

Percentile

88.9%

JSON

Summary

IBM has addressed the following vulnerabilities in the ICU libraries used by drouter: CVE-2014-8147, CVE-2014-8146, CVE-2017-14952, CVE-2020-10531,

Vulnerability Details

CVEID:CVE-2014-8147
**DESCRIPTION:**ICU Project ICU4C library could allow a local attacker execute arbitrary code on the system, caused by an error in the resolveImplicitLevels function of ubidi.c. By sending an overly long string, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/102876 for the current score.
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)

CVEID:CVE-2014-8146
**DESCRIPTION:**ICU Project ICU4C library is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by resolveImplicitLevels function of ubidi.c. By sending an overly long string, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/102875 for the current score.
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)

CVEID:CVE-2017-14952
**DESCRIPTION:**International Components for Unicode (ICU) for C/C++ could allow a remote attacker to execute arbitrary code on the system, caused by a double free in i18n/zonemeta.cpp. By using a specially crafted string, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/133526 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-10531
**DESCRIPTION:**International Components for Unicode (ICU) for C/C++ is vulnerable to a heap-based buffer overflow, caused by an integer overflow in UnicodeString::doAppend() function in common/unistr.cpp. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177660 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM DataPower Gateway V10 CD 10.0.2.0
IBM DataPower Gateway 10.0.1 10.0.0.0-10.0.1.3
IBM DataPower Gateway 2018.4.1 2018.4.1.0-2018.4.1.16

Remediation/Fixes

Install the approppriate fixpack from the table below

Affected Product Fixed in Version APAR Download
IBM DataPower Gateway V10 CD 10.0.3.0 IT37523 <https://www.ibm.com/support/pages/node/6435715&gt;
IBM DataPower Gateway 10.0.1 10.0.1.4 IT37523

<https://www.ibm.com/support/pages/node/6205303&gt;

IBM DataPower Gateway 2018.4.1| 2018.4.1.17| IT37523|

<https://www.ibm.com/support/pages/node/316533&gt;

For customers on previous versions, IBM recommends upgrading to a fixed, supported version of the product

Workarounds and Mitigations

None

Related

ibm 6
f5 3
nessus 66
securityvulns 2
exploitpack 1
openvas 40
cert 1
gentoo 2
ubuntu 4
mageia 2
exploitdb 1
debian 4
osv 12
suse 2
ubuntucve 4
cloudfoundry 2
archlinux 2
fedora 3
cve 6
debiancve 4
prion 4
threatpost 1
redhatcve 2
veracode 2
oraclelinux 5
centos 2
redhat 7
alpinelinux 1
rocky 3
amazon 2
almalinux 3
ibm
ibm
Security Bulletin: IBM DataPower Gateway Virtual Edition uses out of date ICU libraries in open-vm-tools
2022-06-02 12:50:09
Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in ICU [CVE-2017-14952 and CVE-2020-10531]
2022-08-18 13:01:38
Security Bulletin: ICU Vulnerability Affects IBM Control Center (CVE-2020-10531)
2021-06-16 19:41:45
f5
f5
SOL16835 - ICU overflow vulnerabilities CVE-2014-8146 and CVE-2014-8147
2015-07-02 00:00:00
K16835 : ICU overflow vulnerabilities CVE-2014-8146 and CVE-2014-8147
2015-07-02 00:00:00
K51197241 : ICU vulnerability CVE-2020-10531
2020-04-08 00:00:00
nessus
nessus
GLSA-201507-04 : International Components for Unicode: Multiple vulnerabilities
2015-07-08 00:00:00
openSUSE Security Update : icu (openSUSE-2017-1011)
2017-09-06 00:00:00
SUSE SLED12 / SLES12 Security Update : icu (SUSE-SU-2017:2318-1)
2017-09-01 00:00:00
securityvulns
securityvulns
[CVE-2014-8146/8147] - ICU heap and integer overflows / I-C-U-FAIL
2015-05-11 00:00:00
libicu security vulnerabilities
2015-05-11 00:00:00
exploitpack
exploitpack
ICU library 52 54 - Multiple Vulnerabilities
2015-06-10 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2017:2318-1)
2021-04-19 00:00:00
Ubuntu: Security Advisory (USN-2605-1)
2015-05-12 00:00:00
Gentoo Security Advisory GLSA 201507-04
2015-09-29 00:00:00
cert
cert
ICU Project ICU4C library contains multiple overflow vulnerabilities
2015-05-04 00:00:00
gentoo
gentoo
International Components for Unicode: Multiple vulnerabilities
2015-07-07 00:00:00
ICU: Integer overflow
2020-03-15 00:00:00
ubuntu
ubuntu
ICU vulnerabilities
2015-05-11 00:00:00
ICU vulnerability
2017-10-23 00:00:00
ICU vulnerability
2017-10-23 00:00:00
mageia
mageia
Updated icu package fixes security vulnerabilities
2015-07-27 20:34:09
Updated icu packages fix security vulnerability
2017-11-16 11:36:22
exploitdb
exploitdb
ICU library 52 &lt; 54 - Multiple Vulnerabilities
2015-06-10 00:00:00
debian
debian
[SECURITY] [DSA 3323-1] icu security update
2015-08-01 16:07:55
[SECURITY] [DSA 4646-1] icu security update
2020-03-25 16:27:53
[SECURITY] [DLA 2151-1] icu security update
2020-03-20 12:16:16
osv
osv
icu - security update
2015-08-01 00:00:00
CVE-2017-14952
2017-10-16 16:29:00
Important: nodejs:10 security update
2020-04-06 07:21:40
suse
suse
Security update for icu (moderate)
2018-05-25 11:33:28
Security update for icu (important)
2020-04-06 00:00:00
ubuntucve
ubuntucve
CVE-2014-8146
2014-12-31 00:00:00
CVE-2017-14952
2017-10-16 00:00:00
CVE-2014-8147
2014-12-31 00:00:00
cloudfoundry
cloudfoundry
USN-3458-1: ICU vulnerability | Cloud Foundry
2017-11-27 00:00:00
USN-4305-1: ICU vulnerability | Cloud Foundry
2020-04-08 00:00:00
archlinux
archlinux
[ASA-201711-25] icu: arbitrary code execution
2017-11-19 00:00:00
[ASA-201711-26] lib32-icu: arbitrary code execution
2017-11-20 00:00:00
fedora
fedora
[SECURITY] Fedora 26 Update: icu-57.1-7.fc26
2017-11-15 20:24:09
[SECURITY] Fedora 27 Update: icu-57.1-9.fc27
2017-11-15 17:59:58
[SECURITY] Fedora 27 Update: icu-57.1-10.fc27
2018-09-17 18:53:01
cve
cve
CVE-2014-8146
2015-05-25 22:59:00
CVE-2014-8147
2015-05-25 22:59:00
CVE-2017-14952
2017-10-16 16:29:00
debiancve
debiancve
CVE-2014-8146
2015-05-25 22:59:00
CVE-2014-8147
2015-05-25 22:59:00
CVE-2017-14952
2017-10-16 16:29:00
prion
prion
Heap overflow
2015-05-25 22:59:00
Design/Logic Flaw
2015-05-25 22:59:00
Double free
2017-10-16 16:29:00
threatpost
threatpost
ICU Project ICU4C Library Vulnerabilities Patched
2015-05-05 11:21:07
redhatcve
redhatcve
CVE-2017-14952
2017-11-08 13:20:31
CVE-2020-10531
2020-03-31 08:39:00
veracode
veracode
Remote Code Execution (RCE)
2018-05-30 08:56:39
Remote Code Execution (RCE)
2020-07-14 02:35:29
oraclelinux
oraclelinux
icu security update
2020-03-19 00:00:00
nodejs:12 security update
2020-04-02 00:00:00
icu security update
2020-03-19 00:00:00
centos
centos
icu, libicu security update
2020-03-25 19:22:01
icu, libicu security update
2020-03-25 19:16:31
redhat
redhat
(RHSA-2020:0896) Important: icu security update
2020-03-18 15:27:49
(RHSA-2020:0902) Important: icu security update
2020-03-19 10:43:49
(RHSA-2020:1317) Important: nodejs:10 security update
2020-04-06 07:21:40
alpinelinux
alpinelinux
CVE-2020-10531
2020-03-12 19:15:00
rocky
rocky
icu security update
2020-03-19 10:43:49
nodejs:10 security update
2020-04-06 07:21:40
nodejs:12 security update
2020-04-02 07:23:16
amazon
amazon
Medium: icu
2020-04-20 20:34:00
Important: icu
2020-05-05 01:13:00
almalinux
almalinux
Important: nodejs:12 security update
2020-04-02 07:23:16
Important: nodejs:10 security update
2020-04-06 07:21:40
Important: icu security update
2020-03-19 10:43:49

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.026 Low

EPSS

Percentile

88.9%

JSON
Related for 4F86FCE6A6F4F4C425A9B8B38A5DA84E886B0D17EA3E74948CB4061B7FE23597
ibm6f53nessus66securityvulns2exploitpack1openvas40cert1gentoo2ubuntu4mageia2exploitdb1debian4osv12suse2ubuntucve4cloudfoundry2archlinux2fedora3cve6debiancve4prion4threatpost1redhatcve2veracode2oraclelinux5centos2redhat7alpinelinux1rocky3amazon2almalinux3