Lucene search

K
ibmIBM98025854E651536412553B0B69A7444F14C9380AC045721CBBCAF145AC11C835
HistorySep 23, 2021 - 1:31 a.m.

Security Bulletin: Vulnerabilities in unzip affect Power Hardware Management Console (CVE-2014-8139 CVE-2014-8140 CVE-2014-8141 CVE-2014-9636)

2021-09-2301:31:39
www.ibm.com
12

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.259 Low

EPSS

Percentile

96.0%

Summary

Unzip is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2014-8139**
DESCRIPTION:** Info-ZIP UnZip is vulnerable to a heap-based buffer overflow, caused by improper bounds checking within the CRC32 verification. A lo
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99371&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-8140**
DESCRIPTION:** Info-ZIP UnZip is vulnerable to a buffer overflow, caused by improper bounds checking by the test_compr_eb() function. A local attac
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99372&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-8141**
DESCRIPTION:** Info-ZIP UnZip is vulnerable to a buffer overflow, caused by improper bounds checking by the getZip64Data() function. A local attack
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99373&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-9636**
DESCRIPTION:** Info-ZIP unzip is vulnerable to a denial of service, caused by an out-of-bound access in extract.c. By persuading a victim to open a specially-crafted zip file, a local attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 1.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100264&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

Power HMC V7.7.3.0

Power HMC V7.7.8.0

Power HMC V7.7.9.0

Power HMC V8.1.0.0

Power HMC V8.2.0.0

Power HMC V8.3.0.0

Remediation/Fixes

The following fixes are available on IBM Fix Central at: http://www-933.ibm.com/support/fixcentral/

Product|
VRMF|
APAR|
Remediation/First Fix
—|—|—|—

Power HMC|
V7.7.3.0 SP7|
MB03923| Apply eFix MH01535

Power HMC|
V7.7.8.0 SP2|
MB03924|
Apply eFix MH01536

Power HMC|
V7.7.9.0 SP2|
MB03925|
Apply eFix MH01537

Power HMC|
V8.8.1.0 SP2|
MB03920|
Apply eFix MH01532

Power HMC|
V8.8.2.0 SP1|
MB03926|
Apply eFix MH01538

Power HMC|
V8.8.3.0|
MB03927|
Apply eFix MH01539

Note:

1. For unsupported releases IBM recommends upgrading to a fixed, supported release of the product.

2. After applying the PTF, you should restart the HMC.

3. HMC V7.7.3 support is extended only for managing the Power 775 (9125-F2C) also called “PERCS” and “IH”. End Of Service date for managing all other server models was 2013.05.31.

Workarounds and Mitigations

None

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.259 Low

EPSS

Percentile

96.0%

Related for 98025854E651536412553B0B69A7444F14C9380AC045721CBBCAF145AC11C835