Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple php vulnerabilities

Summary

Multiple vulnerabilities have been identified in php that is embedded in the IBM FSM. This fix addresses these vulnerabilities.

Vulnerability Details

CVEID: CVE-2016-7124**
DESCRIPTION:** PHP is vulnerable to a denial of service, caused by the improper handling of invalid objects by ext/standard/var_unserializer.c. An attacker could exploit this vulnerability using specially crafted serialized data to cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116959 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7125**
DESCRIPTION:** PHP could allow a remote attacker to execute arbitrary code on the system, caused by the skipping of invalid session names that triggers incorrect parsing by ext/session/session.c. An attacker could exploit this vulnerability using control of a session name to inject and execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116958 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-7126**
DESCRIPTION:** PHP is vulnerable to a denial of service, caused by the failure to properly validate the number of colors by the imagetruecolortopalette function. An attacker could exploit this vulnerability using a large value in the third argument to cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116957 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7127**
DESCRIPTION:** PHP is vulnerable to a denial of service, caused by the failure to properly validate gamma values by the imagegammacorrect functions. By providing different signs for the second and third arguments, an attacker could exploit this vulnerability to cause an out-of-bounds write.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116956 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7128**
DESCRIPTION:** PHP could allow a remote attacker to obtain sensitive information, caused by the improper handling of the case of a thumbnail offset that exceeds the file size by the exif_process_IFD_in_TIFF function. An attacker could exploit this vulnerability using a specially crafted TIFF image to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116955 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2016-7129**
DESCRIPTION:** PHP is vulnerable to a denial of service, caused by an error in the php_wddx_process_data function. An attacker could exploit this vulnerability using an invalid ISO 8601 time value to cause a segmentation fault.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116954 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7130**
DESCRIPTION:** PHP is vulnerable to a denial of service, caused by a NULL pointer dereference in the php_wddx_pop_element function. An attacker could exploit this vulnerability using an invalid base64 binary value to cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116960 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7131**
DESCRIPTION:** PHP is vulnerable to a denial of service, caused by a NULL pointer dereference in ext/wddx/wddx.c. An attacker could exploit this vulnerability using an invalid wddxPacket XML document that is mishandled in a wddx_deserialize call to cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116953 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7132**
DESCRIPTION:** PHP is vulnerable to a denial of service, caused by a NULL pointer dereference in ext/wddx/wddx.c. An attacker could exploit this vulnerability using an invalid wddxPacket XML document that is mishandled in a wddx_deserialize call to cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116952 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7411**
DESCRIPTION:** PHP could allow a remote or local attacker to execute arbitrary code on the system, caused by a memory corruption error during deserialized object destruction. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116949 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-7413**
DESCRIPTION:** PHP could allow a remote or local attacker to execute arbitrary code on the system, caused by a use-after-free in wddx_deserialize(). An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116947 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-7417**
DESCRIPTION:** PHP could allow a remote or local attacker to execute arbitrary code on the system, caused by a memory corruption error when unserializing SplArray. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116945 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-7418**
DESCRIPTION:** PHP could allow a remote or local attacker to execute arbitrary code on the system, caused by an out-of-bounds memory read in php_wddx_push_element(). An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Flex System Manager 1.3.4.x
Flex System Manager 1.3.3.x
Flex System Manager 1.3.2.x

Remediation/Fixes

IBM recommends updating the FSM using the instructions referenced in this table.

Product |

VRMF |

APAR |

Remediation
—|—|—|—
Flex System Manager|

1.3.4.x |

IT17653

| Install fsmfix1.3.4.0_IT17534_IT17536_IT17537_IT17653
Flex System Manager|

1.3.3.x |

IT17653

| Install fsmfix1.3.3.0_IT17534_IT17536_IT17537_IT17653
Flex System Manager|

1.3.2.x |

IT17653

| Install fsmfix1.3.2.0_IT17534_IT17536_IT17537_IT17653

For a complete list of FSM security bulletins refer to this technote: http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex--NULL--E

For 1.1.x.x, 1.2.x.x, 1.3.0.x and 1.3.1.x IBM recommends upgrading to a fixed, supported version/release of the product.

Workarounds and Mitigations

None