Security Bulletin: A vulnerability in libcURL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3237)

Summary

A vulnerability in libcURL was disclosed on September 10, 2015 by the cURL open source team as a fix in libcURL 7.43. libcURL 7.47.1, used by IBM Tivoli Netcool System Service Monitors/Application Service Monitors, has addressed the vulnerability.

Vulnerability Details

CVE-ID: CVE-2015-3237 DESCRIPTION: libcurl could allow a remote attacker to obtain sensitive information, caused by improper bounds checking by the smb_request_state function. By sending specially-crafted length and offset values, a remote attacker could exploit this vulnerability to obtain sensitive information from memory or cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/110062 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

Versions:
· SSM 4.0.0 FP1 – FP14 and Interim Fix 14-01 – Interim Fix 14-07
· SSM 4.0.1 FP1 – FP2 Interim Fix 03

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
4.0.0.14-TIV-SSM-IF0008| 4.0.0.14| None| http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400002629
4.0.1.2-TIV-SSM-IF0004| 4.0.1.2| None| http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400002626

Workarounds and Mitigations

Non known