Security Bulletin: Vulnerabilities in Samba affect IBM i

Summary

Security vulnerabilities in Samba affect IBM i. IBM i has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-7560 DESCRIPTION: Samba could allow a remote authenticated attacker to launch a symlink attack. By creating a symbolic link to a file or directory using SMB1 UNIX extensions and then issuing a non-UNIX SMB1, an attacker could exploit this vulnerability to overwrite access control lists on the directory.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111384 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2016-0771 DESCRIPTION: Samba is vulnerable to a denial of service, caused by an out-of-bounds read error when handling DNS TXT records. By querying an uploaded specially crafted DNS TXT record, a remote authenticated attacker could exploit this vulnerability to crash the internal DNS server or return uninitialized memory.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111383 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

Release 7.2 of IBM i is affected.

Remediation/Fixes

The issue can be fixed by applying a PTF to the IBM i Operating System.

Release 7.2 of IBM i are supported and will be fixed.

http://www-933.ibm.com/support/fixcentral/

The IBM i PTF number is:

Release 7.2 – SI60139

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None known.