Lucene search

K
ibmIBMC0509FFDD2E7B5B9C800D00723F398767F2937109F970057ADEEB5584489C6C4
HistorySep 23, 2021 - 1:31 a.m.

Security Bulletin: Vulnerabilities in BIND affect Power Hardware Management Console

2021-09-2301:31:39
www.ibm.com
41
isc bind
power hmc
denial of service
improper handling
vulnerability
cve-2016-9778
cve-2016-9131
cve-2016-9444
cve-2016-9147
cve-2017-3135
power hmc v8.8.3.0
power hmc v8.8.4.0
power hmc v8.8.5.0
power hmc v8.8.6.0
ibm fix central.

EPSS

0.873

Percentile

98.7%

Summary

BIND is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2016-9778**
DESCRIPTION:** ISC BIND is vulnerable to a denial of service, caused by the improper handling of specific queries when using the nxdomain-redirect feature. By sending a malformed query, a remote attacker could exploit this vulnerability to trigger a REQUIRE assertion failure in db.c.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120475 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-9131**
DESCRIPTION:** ISC BIND is vulnerable to a denial of service, caused by the improper handling of responses during recursion. By sending a malformed response to a RTYPE ANY query, a remote attacker could exploit this vulnerability to trigger an assertion failure.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120472 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-9444**
DESCRIPTION:** ISC BIND is vulnerable to a denial of service, caused by the improper handling of responses containing a DS resource record. By sending a specially-constructed answer, a remote attacker could exploit this vulnerability to trigger an assertion failure.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120474 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-9147**
DESCRIPTION:** ISC BIND is vulnerable to a denial of service, caused by the improper handling of responses containing DNSSEC-related RRsets that are inconsistent with other RRsets in the same query response. By sending a malformed response, a remote attacker could exploit this vulnerability to trigger an assertion failure.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120473 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-3135**
DESCRIPTION****:** ISC BIND is vulnerable to a denial of service, caused by an error when using both DNS64 and RPZ to rewrite query responses. A remote attacker could exploit this vulnerability to trigger an INSIST assertion failure.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121740 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Version

|

CVE list

—|—

Power HMC V8.8.3.0

|

CVE-2016-9147

Power HMC V8.8.4.0

|

CVE-2016-9147

Power HMC V8.8.5.0

|

CVE-2016-9147

Power HMC V8.8.6.0

|

CVE-2016-9147, CVE-2016-9778, CVE-2016-9131, CVE-2016-9444, and CVE-2017-3135

Remediation/Fixes

The following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/&gt;

Product

|

VRMF

|

APAR

|

Remediation/Fix

—|—|—|—

Power HMC

|

V8.8.3.0 SP3

|

MB04070

|

MH01683

Power HMC

|

V8.8.4.0 SP2

|

MB04071

|

MH01684

Power HMC

|

V8.8.5.0 SP2

|

MB04074

|

MH01685

Power HMC

|

V8.8.6.0 SP1

|

MB04041

|

MH01656

Workarounds and Mitigations

None