Security Bulletin: Vulnerability CVE-2019-3880 in Samba affects IBM i

Summary

Samba is supported on IBM i. IBM i has addressed the applicable CVE.

This security bulletin has been updated, on June 21, 2019, as an additional IBM i PTF is available for IBM i 7.4.

Vulnerability Details

CVEID: CVE-2019-3880 DESCRIPTION: Samba could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted “winreg_SaveKey” request to create a new registry hive file outside a Samba share.
CVSS Base Score: 6.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159188&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Releases 7.2, 7.3, and 7.4 of IBM i are affected.

Remediation/Fixes

The issue can be fixed by applying a PTF to IBM i.

Releases 7.2, 7.3, and 7.4 of IBM i are supported and will be fixed.

The IBM i PTF numbers are:

Release 7.2 – SI69591
Release 7.3 – SI69592
Release 7.4 – SI69593

<https://www-945.ibm.com/support/fixcentral/&gt;

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None