Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM5103BAFB735A485F8C7881470D7A85170C7A8016357F8CA0E8657A0DF7E9AEEF
HistoryJul 10, 2019 - 10:10 a.m.

Security Bulletin: Multiple vulnerabilities Perl Compatible Regular Expression (PCRE) libraries - IBM Aspera Shares Application

2019-07-1010:10:01
www.ibm.com
32

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:P/A:C

JSON

Question

Security Bulletin: Multiple vulnerabilities with the open source Perl Compatible Regular Expression (PCRE) libraries used in IBM Aspera Shares Application

Answer

Security Bulletin

Summary

There are multiple vulnerabilities with PCRE’s earlier versions which was used by IBM Aspera Shares Application.

Vulnerability Details

CVEID: CVE-2015-8380 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of a pattern with a \01 string by the pcre_exec function. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108467&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8381 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of patterns with certain group references by the compile_regex function. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108466&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8382 DESCRIPTION: PCRE could allow a remote attacker to obtain sensitive information caused by the mishandling of the pattern and related patterns involving (ACCEPT) by the match function. An attacker could exploit this vulnerability using a specially crafted regular expression to obtain sensitive information or cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108465&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

CVEID: CVE-2015-8383 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of certain repeated conditional groups. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108464&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8384 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of pattern and related patterns with certain recursive back references. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108463&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8385 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of pattern and related patterns with certain forward references. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108462&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8386 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of the interaction of lookbehind assertions and mutually recursive subpatterns. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108461&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8387 DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system caused by an integer overflow when subroutine calls are mishandled. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108460&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8388 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling ofpattern and related patterns with an unmatched closing parenthesis. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108459&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8389 DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system caused by the mishandling of patterns. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108458&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8390 DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system caused by the mishandling of substrings in character classes. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108457&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8391 DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system caused by the mishandling of certain nesting by the pcre_compile function. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108456&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8392 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of certain instances of the (?| substring. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108455&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8393 DESCRIPTION: PCRE could allow a remote attacker to obtain sensitive information caused by the mishandling of the -q option for binary files by pcregrep. An attacker could exploit this vulnerability using a specially crafted file to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108454&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2015-8394 DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system caused by the mishandling of digits. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108453&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8395 DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system caused by the mishandling of certain references. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108452&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM Aspera Shares Application 1.9.2 or earlier

Remediation/Fixes

Upgrade to IBM Aspera Shares Application 1.9.4 or later for Linux and 1.9.6 or later for windows from here: (http://downloads.asperasoft.com/en/downloads/34).

For unsupported versions of IBM Aspera Shares Application IBM recommends upgrading to a fixed supported version/release/platform of the product.

Workarounds and Mitigations

None

References

Complete CVSS v3 Guide

On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

30 September 2016: Original version published

_*_The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST) the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Product”:{“code”:“SS8NDZ”,“label”:“IBM Aspera”},“Component”:“”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“All Versions”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]

CPENameOperatorVersion
ibm asperaeqany

Related

ibm 11
openwrt 1
fedora 4
symantec 1
nessus 38
f5 5
gentoo 1
freebsd 1
openvas 17
ubuntu 1
rosalinux 1
prion 17
debiancve 17
ubuntucve 17
cve 17
amazon 6
centos 1
oraclelinux 1
redhat 3
veracode 37
suse 2
ibm
ibm
Security Bulletin: Multiple vulnerabilities with the open source Perl Compatible Regular Expression (PCRE) libraries used in IBM Aspera Shares Application
2018-06-15 07:08:32
Security Bulletin:Multiple vulnerabilities in PCRE affect IBM Tivoli Network Manager IP Edition.
2018-06-17 15:15:49
Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities in the consumed PCRE library.
2023-12-20 20:15:48
openwrt
openwrt
pcre: Security update (18 CVEs)
2016-01-28 12:40:02
fedora
fedora
[SECURITY] Fedora 22 Update: mingw-pcre-8.38-1.fc22
2016-02-17 04:25:54
[SECURITY] Fedora 22 Update: pcre-8.38-1.fc22
2016-01-04 19:59:47
[SECURITY] Fedora 23 Update: mingw-pcre-8.38-1.fc23
2016-02-17 04:01:55
symantec
symantec
SA128 : Multiple PCRE Vulnerabilities
2016-07-07 08:00:00
nessus
nessus
GLSA-201607-02 : libpcre: Multiple Vulnerabilities
2016-07-11 00:00:00
PHP 5.6.x < 5.6.18 Multiple Vulnerabilities
2019-01-09 00:00:00
Fedora 22 : mingw-pcre-8.38-1.fc22 (2016-f59a8ff5d0)
2016-03-04 00:00:00
f5
f5
SOL20225390 - Multiple PCRE vulnerabilities
2016-02-04 00:00:00
K20225390 : Multiple PCRE vulnerabilities
2016-02-04 00:00:00
K05428062 : pcregrep in PCRE vulnerability CVE-2015-8393
2016-02-08 00:00:00
gentoo
gentoo
libpcre: Multiple Vulnerabilities
2016-07-09 00:00:00
freebsd
freebsd
php -- multiple vulnerabilities
2016-02-04 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2016:3161-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2016:2971-1)
2021-04-19 00:00:00
Ubuntu: Security Advisory (USN-2943-1)
2016-04-11 00:00:00
ubuntu
ubuntu
PCRE vulnerabilities
2016-03-29 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2021-1947
2021-07-02 17:40:57
prion
prion
Design/Logic Flaw
2015-12-02 01:59:00
Buffer overflow
2015-12-02 01:59:00
Buffer overflow
2015-12-02 01:59:00
debiancve
debiancve
CVE-2015-8384
2015-12-02 01:59:00
CVE-2015-8395
2015-12-02 01:59:00
CVE-2015-8392
2015-12-02 01:59:00
ubuntucve
ubuntucve
CVE-2015-8392
2015-12-01 00:00:00
CVE-2015-8395
2015-12-01 00:00:00
CVE-2015-8384
2015-12-01 00:00:00
cve
cve
CVE-2015-8392
2015-12-02 01:59:00
CVE-2015-8384
2015-12-02 01:59:00
CVE-2015-8395
2015-12-02 01:59:00
amazon
amazon
Medium: pcre
2023-06-05 16:39:00
Medium: glib2
2023-06-21 19:11:00
Medium: glib2
2023-06-21 19:11:00
centos
centos
pcre security update
2016-05-13 00:44:08
oraclelinux
oraclelinux
pcre security update
2016-05-11 00:00:00
redhat
redhat
(RHSA-2016:1025) Important: pcre security update
2016-05-11 11:17:05
(RHSA-2016:1132) Important: rh-mariadb100-mariadb security update
2016-05-26 08:10:09
(RHSA-2016:2750) Moderate: rh-php56 security, bug fix, and enhancement update
2016-11-15 11:13:31
veracode
veracode
Denial Of Service (DoS)
2019-05-02 05:34:18
Denial Of Service (DoS)
2019-05-02 05:34:19
Denial Of Service (DoS)
2019-05-02 05:34:19
suse
suse
Security update for SLES 12 Docker image (important)
2017-10-11 03:06:53
Security update for SLES 12-SP1 Docker image (important)
2017-10-11 03:07:32

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:P/A:C

JSON
Related for 5103BAFB735A485F8C7881470D7A85170C7A8016357F8CA0E8657A0DF7E9AEEF
ibm11openwrt1fedora4symantec1nessus38f55gentoo1freebsd1openvas17ubuntu1rosalinux1prion17debiancve17ubuntucve17cve17amazon6centos1oraclelinux1redhat3veracode37suse2