Lucene search

K
ibmIBMB97B3EB4FEAFD0F35DF27E4D6D2428796FDB2B1C9F2FA16427D2B4EB617D9FD6
HistoryJun 25, 2019 - 7:40 p.m.

Security Bulletin: Open Source VMware Fusion Vulnerabilities in IBM Pure Application System (CVE-2017-4903, CVE-2017-4904, CVE-2017-4905)

2019-06-2519:40:02
www.ibm.com
37

EPSS

0.023

Percentile

89.8%

Summary

Multiple vulnerabilities in Open Source VMware affects IBM PureApplication System. IBM PureApplication System has addressed Common Vulnerabilities Exposures CVE-2017-4903, CVE-2017-4904, CVE-2017-4905.
Additionally this bulletin includes information about the release of fix for Common Vulnerabilities Exposures. IBM PureApplication System has addressed the applicable CVEs CVE-2017-4941 and CVE-2017-4925 that cover additional CVEs see Reference section for details.

Vulnerability Details

CVEID: CVE-2017-4905 DESCRIPTION: Multiple VMware products could allow a local attacker to obtain sensitive information, caused by uninitializing stack memory usage. A local attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123963 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-4904 DESCRIPTION: Multiple VMware products could allow a local attacker to execute arbitrary code on the system, caused by uninitializing stack memory usage in XHCI controller. An attacker could exploit this vulnerability to execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123962 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-4903 DESCRIPTION: Multiple VMware products could allow a local attacker to execute arbitrary code on the system, caused by uninitializing stack memory usage in SVGA. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123961 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-4925 DESCRIPTION: Multiple VMware products are vulnerable to a denial of service, caused by a NULL pointer dereference when handling guest RPC requests. By sending a specially-crafted RPC request, a local authenticated attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/132145&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-4941 DESCRIPTION: VMware ESXi, Workstation and Fusion is vulnerable to a stack-based overflow, caused by improper bounds checking by the remote management function. By sending a specially crafted set of VNC packets, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 8.8
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/136594&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM PureApplication System V2.2
IBM PureApplication System V2.1

Remediation/Fixes

The PureSystemsยฎ Managers. on IBM PureApplication System is affected.

As for CVE-2017-4903, CVE-2017-4904, CVE-2017-4905, the solution is to upgrade the IBM PureApplication System to the following fix level:

IBM PureApplication System V2.2.0.0, V2.2.1.0, V2.2.2.0, V2.2.2.1, V2.2.2.2, V2.2.3.0, V2.2.3.1, V2.2.3.2

IBM PureApplication System V2.1.0.0, V2.1.0.1, V2.1.0.2, V2.1.0.0, V2.1.1.0, V2.1.2.0, V2.1.2.1, V2.1.2.2, V2.1.2.3, V2.1.2.4:

  • IBM recommends upgrading to a fixed version of the product. Contact IBM for assistance

As for CVE-2017-4925, CVE-2017-4941 the solution is to upgrade the IBM PureApplication System to the following fix level:

IBM PureApplication V2.2.5.0

  • Upgrade to IBM PureApplication V2.2.5. Contact IBM for assistance.

Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159&gt;

Workarounds and Mitigations

None

EPSS

0.023

Percentile

89.8%