Multiple vulnerabilities in Open Source VMware affects IBM PureApplication System. IBM PureApplication System has addressed Common Vulnerabilities Exposures CVE-2017-4903, CVE-2017-4904, CVE-2017-4905.
Additionally this bulletin includes information about the release of fix for Common Vulnerabilities Exposures. IBM PureApplication System has addressed the applicable CVEs CVE-2017-4941 and CVE-2017-4925 that cover additional CVEs see Reference section for details.
CVEID: CVE-2017-4905 DESCRIPTION: Multiple VMware products could allow a local attacker to obtain sensitive information, caused by uninitializing stack memory usage. A local attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123963 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-4904 DESCRIPTION: Multiple VMware products could allow a local attacker to execute arbitrary code on the system, caused by uninitializing stack memory usage in XHCI controller. An attacker could exploit this vulnerability to execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123962 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-4903 DESCRIPTION: Multiple VMware products could allow a local attacker to execute arbitrary code on the system, caused by uninitializing stack memory usage in SVGA. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123961 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-4925 DESCRIPTION: Multiple VMware products are vulnerable to a denial of service, caused by a NULL pointer dereference when handling guest RPC requests. By sending a specially-crafted RPC request, a local authenticated attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/132145> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-4941 DESCRIPTION: VMware ESXi, Workstation and Fusion is vulnerable to a stack-based overflow, caused by improper bounds checking by the remote management function. By sending a specially crafted set of VNC packets, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 8.8
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/136594> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
IBM PureApplication System V2.2
IBM PureApplication System V2.1
The PureSystemsยฎ Managers. on IBM PureApplication System is affected.
As for CVE-2017-4903, CVE-2017-4904, CVE-2017-4905, the solution is to upgrade the IBM PureApplication System to the following fix level:
IBM PureApplication System V2.2.0.0, V2.2.1.0, V2.2.2.0, V2.2.2.1, V2.2.2.2, V2.2.3.0, V2.2.3.1, V2.2.3.2
AIX
LINUX
IBM PureApplication System V2.1.0.0, V2.1.0.1, V2.1.0.2, V2.1.0.0, V2.1.1.0, V2.1.2.0, V2.1.2.1, V2.1.2.2, V2.1.2.3, V2.1.2.4:
As for CVE-2017-4925, CVE-2017-4941 the solution is to upgrade the IBM PureApplication System to the following fix level:
IBM PureApplication V2.2.5.0
Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159>
None