Lucene search

K
ibmIBM8F1916DF16BCE9B41284F1A9B9374A7B3967DF92C2D2FD403A184D97F5FAEAC1
HistoryJun 08, 2021 - 10:18 p.m.

Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways

2021-06-0822:18:27
www.ibm.com
17

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.016 Low

EPSS

Percentile

85.4%

Summary

IBM DataPower Gateways has addressed vulnerabilities in processing certain XML files that could cause a denial of service.

Vulnerability Details

CVEID: CVE-2015-5312**
DESCRIPTION:** An unspecified error in Libxml2 related to an entity expansion flaw has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108319 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-7497**
DESCRIPTION:** Libxml2 is vulnerable to a denial of service, caused by a heap-based buffer overflow in the xmlDictComputeFastQKey() function. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108320 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7498**
DESCRIPTION:** An unspecified error in Libxml2 related to the processing of entities after encoding conversion failures have occured has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108321 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-7499**
DESCRIPTION:** An unspecified error in Libxml2 related to some parser errors has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108322 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-7500**
DESCRIPTION:** Libxml2 is vulnerable to a denial of service, caused by a memory access error when handling invalid entity boundaries. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108323 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7941**
DESCRIPTION:** Libxml2 is vulnerable to a denial of service, caused by a heap-based buffer overflow in the xmlParseEntityDecl or xmlParseConditionalSections function. By using specially-crafted XML data, a remote attacker could exploit this vulnerability to trigger an out-of-bounds read and cause the system to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108071 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7942**
DESCRIPTION:** Libxml2 is vulnerable to a denial of service, caused by a heap-based buffer overflow in the xmlParseConditionalSections function. By using specially-crafted XML data, a remote attacker could exploit this vulnerability to trigger an out-of-bounds read and cause the system to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108073 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-8241**
DESCRIPTION:** libxml2 is vulnerable to a buffer overflow, caused by improper bounds checking by the XML parser in xmlNextChar. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108169 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8242**
DESCRIPTION:** libxml2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the HTML parser in push mode in xmlSAX2TextNode. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108170 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8317**
DESCRIPTION:** libxml2 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the xmlParseXMLDecl function. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108316 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM DataPower Gateway appliances versions 7.2.0.0 to 7.2.0.5

Remediation/Fixes

Fix is available in versions 7.2.0.6. Refer to APAR IT15089 for URLs to download the fix.

You should verify applying this fix does not cause any compatibility issues.

For DataPower customers using versions 6.x and earlier versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm datapower gatewayeq7.2

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.016 Low

EPSS

Percentile

85.4%

Related for 8F1916DF16BCE9B41284F1A9B9374A7B3967DF92C2D2FD403A184D97F5FAEAC1