Vulnerability has been identified in libcurl that is used in OS image for RedHat Enterprise Linux for IBM Cloud Pak System. This security bulletin applies to the OS image for RedHat Enterprise Linux v7.7. OS image for RedHat Enterprise Linux has addressed the vulnerability.
CVEID:CVE-2019-5436
**DESCRIPTION:**cURL libcurl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the tftp_receive_packet() function. By sending overly long data, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161431 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM Cloud Pak System | v.2.3.0.1, v.2.3.1.1 |
OS Image for RedHat Enterprise | v3.0.14, v3.0.15 |
for Cloud Pak System v.2.3.0.1, v.2.3.1.1, v2.3.2.0
apply iFix as available at IBM Fix Central here, this service applies to OS Image for Red Hat Linux v7.7
OR
Upgrade to IBM Cloud Pak System v2.3.3.0 ,
Information on release available here : <http://www.ibm.com/support/docview.wss?uid=ibm10887959>.
None