Security Bulletin: Multiple vulnerabilities in cURL libcURL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3144 and CVE-2015-3145)

Summary

cURL libcURL vulnerabilities were disclosed on April 22, 2015 by the cURL Project. cURL is used by IBM Tivoli Netcool System Service Monitors/Application Service Monitors has addressed the applicable CVEs.

Vulnerability Details

CVE-ID: CVE-2015-3144

DESCRIPTION: libcurl and cURL are vulnerable to a denial of service, caused by improper calculation of index by the fix_hostname function. By using a zero-length host name, an remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.000
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/102886 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2015-3145

DESCRIPTION: libcurl and cURL are vulnerable to a denial of service, caused by improper calculation of index by the sanitize_cookie_path function. By using a double-quote character in a cookie path, an remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.000
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/102884 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

SSM 4.0.0 FP1 - FP14 and Interim Fix 14-01 – Interim Fix 14-06
SSM 4.0.1 FP1 – FP2 Interim Fix 02

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
4.0.1.2-TIV-SSM-IF0003| 4.0.1.2| None| http://www-01.ibm.com/support/docview.wss?uid=isg400002351
4.0.0.14-TIV-SSM-IF0007| 4.0.0.14| None| _<http://www-01.ibm.com/support/docview.wss?uid=isg400002356&gt;_

Workarounds and Mitigations

None Known