Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM8B33DE18424CFF523B0A425148577938EB85F0E79D969257FB90B1EB074C37DE
HistoryOct 18, 2019 - 3:10 a.m.

Security Bulletin: Multiple Security Vulnerabilities in Expat affect IBM Netezza Analytics

2019-10-1803:10:29
www.ibm.com
11

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON

Summary

Expat vulnerabilities were disclosed August and September 2016. Expat is used by IBM Netezza Analytics. IBM Netezza Analytics has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2012-6702**
DESCRIPTION:** Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, could provide weaker than expected security. An attacker could exploit this vulnerability using attack vectors involving use of the srand function to defeat cryptographic protection mechanisms.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114541 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2016-5300**
DESCRIPTION:** Expat XML parser is vulnerable to a denial of service, caused by the failure to use sufficient entropy for hash initialization. By using a specially-crafted identifiers in an XML document, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114435 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2012-0876**
DESCRIPTION:** Expat is vulnerable to a denial of service, caused by insufficient randomization of hash data structures. By sending multiple specially-crafted HTTP POST requests to an affected application containing conflicting hash key values, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73868 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2012-1147**
DESCRIPTION:** Expat is vulnerable to a denial of service, caused by a resource leak in readfilemap.c when handling XML data. A remote attacker could exploit this vulnerability to cause the application using the vulnerable XML parsing library to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73866 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2012-1148**
DESCRIPTION:** Expat is vulnerable to a denial of service, caused by a memory leak in poolGrow when handling XML data. A remote attacker could exploit this vulnerability to cause the application using the vulnerable XML parsing library to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73867 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2016-4472**
DESCRIPTION:** Expat XML parser is vulnerable to a denial of service, caused by the removal by compilers with certain optimization settings. By using a specially-crafted XML data, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114683 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-0718**
DESCRIPTION:** Expat is vulnerable to a buffer overflow, caused by improper bounds checking when processing malformed XML data. By using the Expat library, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113408 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Netezza Analytics 3.2.2 and earlier

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Netezza Analytics| 3.2.3.0| http://www-933.ibm.com/support/fixcentral

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm puredata systemeq1.0.0

Related

ibm 19
openvas 57
nessus 48
fedora 6
osv 6
archlinux 2
mageia 1
debian 4
ubuntu 4
ubuntucve 5
freebsd 3
slackware 3
gentoo 2
cloudfoundry 2
debiancve 5
alpinelinux 2
securityvulns 2
centos 1
redhatcve 1
cve 6
f5 6
oraclelinux 1
redhat 1
veracode 4
prion 5
amazon 1
apple 2
ibm
ibm
Security Bulletin: Multiple Expat XML Parser vulnerabilities in Prospect
2018-06-17 15:27:43
Security Bulletin: Vulnerabilities in Open Source Expact affect Tivoli Network Manager IP Edition
2018-06-17 15:34:31
Security Bulletin: Multiple OpenSource Expat XML Vulnerabilities affect IBM DB2 Net Search Extender for Linux, Unix and Windows
2018-06-16 13:43:54
openvas
openvas
Fedora Update for expat FEDORA-2016-0fd6ca526a
2016-08-02 00:00:00
Fedora Update for expat FEDORA-2016-7c6e7a9265
2016-06-24 00:00:00
Fedora Update for expat FEDORA-2016-60889583ab
2016-06-20 00:00:00
nessus
nessus
Fedora 24 : expat (2016-7c6e7a9265)
2016-07-14 00:00:00
Fedora 22 : expat (2016-0fd6ca526a)
2016-07-15 00:00:00
Fedora 23 : expat (2016-60889583ab)
2016-07-14 00:00:00
fedora
fedora
[SECURITY] Fedora 23 Update: expat-2.1.1-2.fc23
2016-06-19 07:27:54
[SECURITY] Fedora 24 Update: expat-2.1.1-2.fc24
2016-06-21 19:27:49
[SECURITY] Fedora 22 Update: expat-2.1.1-2.fc22
2016-07-12 02:27:38
osv
osv
expat - security update
2016-06-07 00:00:00
expat - security update
2016-06-08 00:00:00
CVE-2016-5300
2016-06-16 18:59:00
archlinux
archlinux
expat: multiple issues
2016-06-13 00:00:00
lib32-expat: multiple issues
2016-06-13 00:00:00
mageia
mageia
Updated expat packages fix security vulnerabilities
2016-06-17 08:58:14
debian
debian
[SECURITY] [DLA 508-1] expat security update
2016-06-08 09:29:13
[SECURITY] [DSA 3597-1] expat security update
2016-06-07 16:44:57
[SECURITY] [DSA 3597-1] expat security update
2016-06-07 16:44:57
ubuntu
ubuntu
XML-RPC for C and C++ vulnerabilities
2016-06-20 00:00:00
Expat vulnerabilities
2016-06-20 00:00:00
XML-RPC for C and C++ vulnerabilities
2012-09-10 00:00:00
ubuntucve
ubuntucve
CVE-2016-5300
2016-06-06 00:00:00
CVE-2012-6702
2012-12-31 00:00:00
CVE-2012-0876
2012-07-03 00:00:00
freebsd
freebsd
expat -- multiple vulnerabilities
2016-03-18 00:00:00
Python 2.7 -- multiple vulnerabilities
2017-08-26 00:00:00
python 2.7 -- multiple vulnerabilities
2018-05-01 00:00:00
slackware
slackware
[slackware-security] expat
2016-12-24 19:24:21
[slackware-security] python
2018-05-04 20:53:50
[slackware-security] python
2017-09-23 06:33:04
gentoo
gentoo
Expat: Multiple vulnerabilities
2017-01-11 00:00:00
Expat: Multiple vulnerabilities
2012-09-24 00:00:00
cloudfoundry
cloudfoundry
USN-3010-1 Expat vulnerabilities | Cloud Foundry
2016-07-13 00:00:00
USN-2983-1 Expat vulnerability | Cloud Foundry
2016-06-13 00:00:00
debiancve
debiancve
CVE-2016-5300
2016-06-16 18:59:00
CVE-2012-6702
2016-06-16 18:59:00
CVE-2012-0876
2012-07-03 19:55:00
alpinelinux
alpinelinux
CVE-2016-5300
2016-06-16 18:59:00
CVE-2012-6702
2016-06-16 18:59:00
securityvulns
securityvulns
expat security vulnerability
2012-04-02 00:00:00
[ MDVSA-2012:041 ] expat
2012-04-02 00:00:00
centos
centos
expat security update
2012-06-13 17:07:10
redhatcve
redhatcve
CVE-2016-5300
2016-06-06 13:18:38
cve
cve
CVE-2016-5300
2016-06-16 18:59:00
CVE-2012-6702
2016-06-16 18:59:00
CVE-2012-1147
2012-07-03 19:55:00
f5
f5
SOL16949 - Expat vulnerabilities CVE-2012-0876 and CVE-2012-1148
2015-07-10 00:00:00
K16949 : Expat vulnerabilities CVE-2012-0876 and CVE-2012-1148
2015-07-11 00:00:00
SOL70938105 - Expat XML library vulnerability CVE-2016-5300
2016-10-26 00:00:00
oraclelinux
oraclelinux
expat security update
2012-06-13 00:00:00
redhat
redhat
(RHSA-2012:0731) Moderate: expat security update
2012-06-13 00:00:00
veracode
veracode
Denial Of Service (DoS)
2019-05-02 04:41:51
Denial Of Service (DoS)
2017-02-01 06:06:40
Weak Cryptographic Protection
2016-06-08 07:23:46
prion
prion
Code injection
2016-06-16 18:59:00
Design/Logic Flaw
2016-06-16 18:59:00
Code injection
2012-07-03 19:55:00
amazon
amazon
Medium: expat
2012-06-19 15:59:00
apple
apple
About the security content of iTunes 12.6 - Apple Support
2017-03-22 07:40:40
About the security content of iTunes 12.6
2017-03-21 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON
Related for 8B33DE18424CFF523B0A425148577938EB85F0E79D969257FB90B1EB074C37DE
ibm19openvas57nessus48fedora6osv6archlinux2mageia1debian4ubuntu4ubuntucve5freebsd3slackware3gentoo2cloudfoundry2debiancve5alpinelinux2securityvulns2centos1redhatcve1cve6f56oraclelinux1redhat1veracode4prion5amazon1apple2