Security Bulletin: Vulnerabilities in GNU C Library affects IBM SmartCloud Provisioning for Software Virtual Appliance (CVE-2014-5119, CVE-2014-0475)

Summary

Vulnerabilities have been identified in the GNU C Library (glibc) packages for the standard C and the standard math libraries on Linux systems, that affect IBM SmartCloud Provisioning 2.1 for Software Virtual Appliance (CVE-2014-5119, CVE-2014-0475).

Vulnerability Details

CVE-ID: CVE-2014-5119
DESCRIPTION: The GNU C Library (glibc) is vulnerable to a heap-based buffer overflow, which is caused by an off-by-one error in the __gconv_translit_find() function. By setting the CHARSET environment variable to a malicious value, a local attacker might exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with root privileges.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95044&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-ID: CVE-2014-0475
DESCRIPTION: A directory traversal flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value (for example, specified in an LC_* environment variable) might possibly use this flaw to execute arbitrary code with the privileges of that application.
CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94452&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Products and Versions

SmartCloud Provisioning 2.1 for IBM Provided Software Virtual Appliance

Remediation/Fixes

The recommended solution is download SmartCloud Provisioning 2.1 Fix Pack 5 for Software Virtual Appliance Interim Fix 2 from Fix Central and apply it as soon as practical.

Workarounds and Mitigations

None