Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM5D56ED4CCA917B7F9B6165273EC877817FB5042AE5B1564A8E3020A7B2A4C964
HistoryJan 31, 2019 - 1:55 a.m.

Security Bulletin: IBM BladeCenter Advanced Management Module is affected by glibc vulnerabilities (CVE-2015-1472, CVE-2013-7423, CVE-2014-7817, and CVE-2014-9402)

2019-01-3101:55:01
www.ibm.com
6

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON

Summary

Security vulnerabilities in glibc affect IBM BladeCenter Advanced Management Module (AMM).

Vulnerability Details

Summary

Security vulnerabilities in glibc affect IBM BladeCenter Advanced Management Module (AMM).

Vulnerability Details:

CVE-ID: CVE-2013-7423

Description: GNU glibc could allow a local attacker to obtain sensitive information, caused by the writing of DNS queries to random file descriptors under high load by the getaddrinfo() function. An attacker could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 1.2
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/100647&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2014-7817

Description: GNU C Library (glibc) could allow a local attacker to execute arbitrary commands on the system, caused by an error in the wordexp() function. An attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVSS Base Score: 4.6
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/98852&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)

CVE-ID: CVE-2014-9402

Description: glibc is vulnerable to a denial of service, caused by an error in the getanswer() function. If the DNS backend is activated, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.

CVSS Base Score: 4.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/99289&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2015-1472

Description: NU glibc is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by stdio-common/vfscanf.c. By sending an overly long string, a local attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service.

CVSS Base Score: 4.6
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/100635&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)

Affected products and versions

IBM BladeCenter Advanced Management Module Firmware v3.66K (BPET66K, BBET66K, BPEO66K) and previous versions are affected.

This applies to the following hardware products:

  • BladeCenter Advanced Management Module, Option 25R5778
  • BladeCenter T Advanced Management Module, Option 32R0835
  • IBM BladeCenter™-E: Type 1881, 7967, 8677
  • IBM BladeCenter™-H: Types 1886, 7989, 8852
  • IBM BladeCenter™-HT: Types 8740, 8750
  • IBM BladeCenter™-S: Types 1948, 7779, 8886
  • IBM BladeCenter™-T: Types 8720, 8730

Remediation/Fixes:

You should verify applying this fix does not cause any compatibility issues.

Fix Central: <http://www-933.ibm.com/support/fixcentral/&gt;

Product Version
BladeCenter Advanced Management Module — IBM BladeCenter T Chassis Update to v3.66N (BBET66N)
BladeCenter Advanced Management Module — BladeCenter OEM Chassis Update to v3.66N (BPEO66N)
BladeCenter Advanced Management Module — All other IBM BladeCenter Chassis Update to v3.66N (BPET66N)

Workarounds and Mitigations:

None

References:

Related Information:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History
30 April 2015: Original Copy Published

  • The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related

ibm 22
openvas 40
nessus 57
fedora 2
ubuntu 2
centos 5
oraclelinux 8
redhat 7
gentoo 1
ubuntucve 5
prion 4
f5 8
cve 4
debiancve 4
amazon 4
mageia 4
debian 5
archlinux 3
securityvulns 6
osv 4
zdt 1
packetstorm 3
ibm
ibm
Security Bulletin: Multiple vulnerabilities in glibc affect IBM Flex System Manager(FSM) (CVE-2013-7423, CVE-2014-7817, CVE-2014-9402, CVE-2015-1472)
2019-01-31 01:45:01
Security Bulletin: Multiple vulnerabilities in glibc affect IBM Flex System Manager(FSM) (CVE-2013-7423, CVE-2014-7817, CVE-2014-9402, CVE-2015-1472)
2019-01-31 01:45:01
Security Bulletin: Vulnerabilities in GNU C Library Affect Power Hardware Management Console (CVE-2013-7423, CVE-2014-7817, CVE-2014-9402, CVE-2015-1472)
2021-09-23 01:31:39
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2015:0526-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:0439-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:0550-1)
2021-06-09 00:00:00
nessus
nessus
SuSE 11.3 Security Update : glibc (SAT Patch Number 10357)
2015-03-06 00:00:00
SUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2015:0526-1)
2015-05-20 00:00:00
openSUSE Security Update : glibc (openSUSE-2015-173)
2015-02-27 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: glibc-2.20-8.fc21
2015-03-04 10:27:01
[SECURITY] Fedora 20 Update: glibc-2.18-19.fc20
2015-03-04 10:25:31
ubuntu
ubuntu
GNU C Library vulnerabilities
2015-02-26 00:00:00
GNU C Library vulnerabilities
2014-12-03 00:00:00
centos
centos
glibc, nscd security update
2015-11-30 19:30:07
glibc, nscd security update
2014-12-19 12:43:11
glibc, nscd security update
2015-04-21 13:07:39
oraclelinux
oraclelinux
glibc security, bug fix, and enhancement update
2015-11-24 00:00:00
glibc security and bug fix update
2015-04-21 00:00:00
glibc security and bug fix update
2015-01-07 00:00:00
redhat
redhat
(RHSA-2015:2199) Moderate: glibc security, bug fix, and enhancement update
2015-11-19 14:39:58
(RHSA-2016:1207) Moderate: glibc security update
2016-06-07 05:18:46
(RHSA-2015:2589) Important: glibc security update
2015-12-09 08:43:11
gentoo
gentoo
GNU C Library: Multiple vulnerabilities
2016-02-17 00:00:00
ubuntucve
ubuntucve
CVE-2013-7423
2015-02-24 00:00:00
CVE-2014-9402
2015-02-24 00:00:00
CVE-2014-7817
2014-11-24 00:00:00
prion
prion
Design/Logic Flaw
2015-02-24 15:59:00
Design/Logic Flaw
2015-02-24 15:59:00
Input validation
2014-11-24 15:59:00
f5
f5
SOL16841 - GNU C Library (glibc) vulnerability CVE-2013-7423
2015-07-02 00:00:00
K16841 : GNU C Library (glibc) vulnerability CVE-2013-7423
2015-11-12 00:00:00
K16365 : glibc vulnerability CVE-2014-9402
2015-07-23 00:00:00
cve
cve
CVE-2013-7423
2015-02-24 15:59:00
CVE-2014-9402
2015-02-24 15:59:00
CVE-2014-7817
2014-11-24 15:59:00
debiancve
debiancve
CVE-2013-7423
2015-02-24 15:59:00
CVE-2014-9402
2015-02-24 15:59:00
CVE-2014-7817
2014-11-24 15:59:00
amazon
amazon
Important: glibc
2015-12-14 10:00:00
Medium: glibc
2015-04-22 16:12:00
Medium: glibc
2015-01-08 12:38:00
mageia
mageia
Updated glibc packages fix CVE-2014-7817
2014-11-26 20:29:06
Updated glibc packages fix security vulnerabilities
2015-01-08 15:24:22
Updated glibc packages fix security vulnerabilities
2015-02-17 21:38:13
debian
debian
[SECURITY] [DLA 122-1] eglibc security update
2014-12-22 23:19:26
[SECURITY] [DSA 3169-1] eglibc security update
2015-02-23 06:08:58
[SECURITY] [DLA 97-1] eglibc security update
2014-11-29 18:51:24
archlinux
archlinux
glibc: command execution
2014-11-21 00:00:00
glibc: arbitrary code execution
2014-12-18 00:00:00
glibc: multiple issues
2015-02-09 00:00:00
securityvulns
securityvulns
GNU glibc code execution
2014-11-30 00:00:00
[ MDVSA-2014:232 ] glibc
2014-11-30 00:00:00
GNU glibc multiple security vulnerabilities
2015-03-07 00:00:00
osv
osv
eglibc - security update
2015-02-23 00:00:00
eglibc - security update
2014-11-29 00:00:00
eglibc - security update
2015-01-27 00:00:00
zdt
zdt
Moxa Command Injection / Cross Site Scripting Vulnerabilities
2021-09-01 00:00:00
packetstorm
packetstorm
Moxa Command Injection / Cross Site Scripting / Vulnerable Software
2021-09-01 00:00:00
Cisco Device Hardcoded Credentials / GNU glibc / BusyBox
2019-09-04 00:00:00
WAGO 852 Industrial Managed Switch Series Code Execution / Hardcoded Credentials
2019-06-13 00:00:00

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON
Related for 5D56ED4CCA917B7F9B6165273EC877817FB5042AE5B1564A8E3020A7B2A4C964
ibm22openvas40nessus57fedora2ubuntu2centos5oraclelinux8redhat7gentoo1ubuntucve5prion4f58cve4debiancve4amazon4mageia4debian5archlinux3securityvulns6osv4zdt1packetstorm3