IBMB577D1FC3D629F41024BCF0BE7C105068728300737337BFA3CE48C11EB6A3991Security Bulletin: Nss,Nss-util and Nspr vulnerabilities affect IBM SmartCloud Entry (CVE-2016-1978, CVE-2016-1979 )
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Summary
IBM SmartCloud Entry is vulnerable to multiple vulnerabilities in nss, nss-util and nspr. Attackers could exloit them using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Vulnerability Details
CVEID: CVE-2016-1978**
DESCRIPTION:** Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in ssl3_HandleECDHServerKeyExchange. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111321 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2016-1979**
DESCRIPTION:** Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free when processing DER encoded keys in the Network Security Services (NSS) libraries. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111365 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM SmartCloud Entry 2.2.0 through 2.2.0.4 Appliance fix pack 6
IBM SmartCloud Entry 2.3.0 through 2.3.0.4 Appliance fix pack 6
IBM SmartCloud Entry 2.4.0 through 2.4.0.4 Appliance fix pack 6
IBM SmartCloud Entry 3.1.0 through 3.1.0.4 Appliance fix pack 21
IBM SmartCloud Entry 3.2.0 through 3.2.0.4 Appliance fix pack 21
Remediation/Fixes
Product
| VRMF| APAR| Remediation/First Fix
—|—|—|—
IBM SmartCloud Entry| 2.2| None| IBM SmartCloud Entry 2.2.0 Appliance fix pack 7:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Starter+Kit+for+Cloud&fixids=2.2.0.4-IBM-SKC_APPL-FP007&source=SAR
IBM SmartCloud Entry| 2.3| None| IBM SmartCloud Entry 2.3.0 Appliance fix pack 7:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.3.0.4-IBM-SCE_APPL-FP007&source=SAR
IBM SmartCloud Entry| 2.4| None| IBM SmartCloud Entry 2.4.0 Appliance fix pack 7:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=2.4.0.4-IBM-SCE_APPL-FP007&source=SAR
IBM SmartCloud Entry| 3.1| None| IBM SmartCloud Entry 3.1.0 Appliance fix pack 22:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.1.0.4-IBM-SCE_APPL-FP22&source=SAR
IBM SmartCloud Entry| 3.2| None| IBM SmartCloud Entry 3.2.0 Appliance fix pack 22:
Workarounds and Mitigations
None known
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P