Lucene search

IBMB408C7BA846A2483FF7780FE422E07F668497A94613E31B25162E1B828A8BB1C

HistorySep 25, 2022 - 11:09 p.m.

Security Bulletin: IBM Forms Viewer stack buffer overflow identified (CVE-2013-5447)

2022-09-2523:09:27

www.ibm.com

ibm forms viewer

stack buffer overflow

remote code execution

cve-2013-5447

vulnerability

ibm

xfdl form

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.959 High

EPSS

Percentile

99.5%

JSON

Abstract

A stack buffer overflow issue has been identified in the Forms Viewer that could allow remote code execution to occur.

Content

A stack buffer overflow issue has been identified in the Forms Viewer that could allow remote code execution to occur

VULNERABILITY DETAILS:

CVEID: CVE-2013-5447

DESCRIPTION:

A XFDL form can be created in such a way that could cause a stack buffer overflow to occur in the IBM Forms Viewer that could allow remote code execution to occur if the form is loaded.

CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87911> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

AFFECTED PRODUCTS AND VERSIONS:

IBM Forms Viewer 4.0
IBM Forms Viewer 8.0
IBM Forms Viewer 8.0.1

REMEDIATION:

Product	VRMF	APAR	Remediation
IBM Forms Viewer	4.0.0.*	LO78184	Install IBM Forms Viewer 4.0.0.3 from Fix Central
IBM Forms Viewer	8.0.0.*	LO78184	Install IBM Forms Viewer 8.0.1.1 from Fix Central
IBM Forms Viewer	8.0.1.0	LO78184	Install IBM Forms Viewer 8.0.1.1 from Fix Central

MITIGATION(S):
To expose this issue, the user will have to be directed to open this specifically crafted form

ACKNOWLEDGEMENT
The vulnerability was reported to IBM by Andrea Micalizzi (aka rgod)

CHANGE HISTORY
December 5, 2013 Original Copy Published

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related Information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Complete CVSS Guide

On-line Calculator V2

[{“Product”:{“code”:“SS38QR”,“label”:“Lotus Forms Viewer”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“–”,“Platform”:[{“code”:“PF033”,“label”:“Windows”}],“Version”:“8.0.1;8.0;4.0.0.2;4.0.0.1;4.0”,“Edition”:“”,“Line of Business”:{“code”:“LOB31”,“label”:“WCE Watson Marketing and Commerce”}}]

Affected configurations

Vulners

Node

ibmforms_viewerMatch8.0.1

ibmforms_viewerMatch8.0

ibmforms_viewerMatch4.0.0.2

ibmforms_viewerMatch4.0.0.1

ibmforms_viewerMatch4.0

CPENameOperatorVersion
lotus forms viewereq8.0.1
lotus forms viewereq8.0
lotus forms viewereq4.0.0.2
lotus forms viewereq4.0.0.1
lotus forms viewereq4.0