IBM622154DBCB0E0369E20AB6317AC05E4A1900EB560112F3E81AABBED71F3D0261Security Bulletin: TADDM is vulnerable to a denial of service due to vulnerabilities in ICU4J Library
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.038 Low
EPSS
Percentile
91.7%
Summary
ICU4J Library used by IBM Tivoli Application Dependency Discovery Manager and is vulnerable to CVE-2007-4770, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-9654, CVE-2015-5922 and CVE-2017-15422
Vulnerability Details
CVEID:CVE-2007-4770
**DESCRIPTION:**libicu is vulnerable to a denial of service related to corrupt REStackFrames. By sending a specially-crafted regular expression containing illegal backreference referrals to capture group zero, a local attacker could crash linked applications.
CVSS Base score: 2.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/39938 for the current score.
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:P/A:N)
CVEID:CVE-2014-7923
**DESCRIPTION:**Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption error in ICU. An attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the system.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/100294 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVEID:CVE-2014-7926
**DESCRIPTION:**Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption error in ICU. An attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the system.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/100297 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVEID:CVE-2014-8146
**DESCRIPTION:**ICU Project ICU4C library is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by resolveImplicitLevels function of ubidi.c. By sending an overly long string, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/102875 for the current score.
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVEID:CVE-2014-9654
**DESCRIPTION:**ICU could allow a remote attacker to execute arbitrary code on the system, caused by improper size limit checks when handling regular expressions. An attacker could exploit this vulnerability using specially crafted data to execute arbitrary code on the system with elevated privileges or cause the application using ICU to crash.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/110456 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2015-5922
**DESCRIPTION:**Multiple unspecified errors in Apple Mac OS X within ICU have an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/106838 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2017-15422
**DESCRIPTION:**Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in ICU. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/136054 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Tivoli Application Dependency Discovery Manager | 7.3.0.0 - 7.3.0.10 |
Remediation/Fixes
In order to fix these vulnerabilities, Please follow below steps:
**For TADDM 7.3.0.0-7.3.0.9,**Please upgrade your TADDM environment to 7.3.0.10 and then download the e-fix given in Table-1 and apply the e-fix.
**For TADDM 7.3.0.10,**Please download the e-fix given in Table-1 and apply the e-fix.
Table-1
Fix|
VRMF
| APAR|How to acquire fix
—|—|—|—
efix_icu4j_72.1_FP10221123.zip|
7.3.0.10
| None| Download eFix
Please refer to the table below to download TADDM FixPack 7.3.0.10.
| Fix | How to acquire fix |
|---|---|
| 7.3-TIV-ITADDM-FP00010 | Download FixPack |
Please refer to the URL for TADDM FixPack 7.3.0.10 Release Notes containing more information about the update.
<https://www.ibm.com/docs/en/taddm/7.3.0?topic=release-notes#relnotes__fp10>
Workarounds and Mitigations
None
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.038 Low
EPSS
Percentile
91.7%