Security Bulletin: Vulnerabilities in Firefox affect IBM SmartCloud Provisioning 2.1 for Software Virtual Appliance

Summary

Vulnerabilities have been found in Firefox that affect IBM SmartCloud Provisioning 2.1 for IBM Provided Software Virtual Appliance (CVE-2014-1547, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557).

Vulnerability Details

CVEID: CVE-2014-1547**
DESCRIPTION:** Mozilla Firefox and Thunderbird might allow a remote attacker to execute arbitrary code on the system, which is caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker might exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94768&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-1556**
DESCRIPTION:** Mozilla Firefox and Thunderbird might allow a remote attacker to execute arbitrary code on the system, which is caused by an error in WebGLFramebuffer.cpp. By persuading a victim to visit a specially crafted Web site, a remote attacker might exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base Score: 9.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/94775&gt;_ for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-1557**
DESCRIPTION:** Mozilla Firefox and Thunderbird might allow a remote attacker to execute arbitrary code on the system, which is caused by an error in the Skia Library. By persuading a victim to visit a specially crafted Web site, a remote attacker might exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base Score: 9.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/94777&gt;_ for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-1555**
DESCRIPTION:** Mozilla Firefox and Thunderbird might allow a remote attacker to execute arbitrary code on the system, which is caused by a use-after-free error in the nsDocLoader::OnProgress() function when handling FireOnStateChange events. By persuading a victim to visit a specially crafted Web site, a remote attacker might exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94774&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Affected Products and Versions

SmartCloud Provisioning 2.1 for IBM Provided Software Virtual Appliance

Remediation/Fixes

The recommended solution is download SmartCloud Provisioning 2.1 Fix Pack 5 for IBM Provided Software Virtual Appliance Interim Fix 2 from Fix Central and apply it as soon as practical.

Workarounds and Mitigations

None