Security Bulletin: Vulnerabilities in BIND affect Power Hardware Management Console

Summary

BIND is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2016-9778**
DESCRIPTION:** ISC BIND is vulnerable to a denial of service, caused by the improper handling of specific queries when using the nxdomain-redirect feature. By sending a malformed query, a remote attacker could exploit this vulnerability to trigger a REQUIRE assertion failure in db.c.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120475 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-9131**
DESCRIPTION:** ISC BIND is vulnerable to a denial of service, caused by the improper handling of responses during recursion. By sending a malformed response to a RTYPE ANY query, a remote attacker could exploit this vulnerability to trigger an assertion failure.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120472 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-9444**
DESCRIPTION:** ISC BIND is vulnerable to a denial of service, caused by the improper handling of responses containing a DS resource record. By sending a specially-constructed answer, a remote attacker could exploit this vulnerability to trigger an assertion failure.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120474 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-9147**
DESCRIPTION:** ISC BIND is vulnerable to a denial of service, caused by the improper handling of responses containing DNSSEC-related RRsets that are inconsistent with other RRsets in the same query response. By sending a malformed response, a remote attacker could exploit this vulnerability to trigger an assertion failure.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120473 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-3135**
DESCRIPTION****:** ISC BIND is vulnerable to a denial of service, caused by an error when using both DNS64 and RPZ to rewrite query responses. A remote attacker could exploit this vulnerability to trigger an INSIST assertion failure.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121740 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Version

|

CVE list

—|—

Power HMC V8.8.3.0

|

CVE-2016-9147

Power HMC V8.8.4.0

|

CVE-2016-9147

Power HMC V8.8.5.0

|

CVE-2016-9147

Power HMC V8.8.6.0

|

CVE-2016-9147, CVE-2016-9778, CVE-2016-9131, CVE-2016-9444, and CVE-2017-3135

Remediation/Fixes

The following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/&gt;

Product

|

VRMF

|

APAR

|

Remediation/Fix

—|—|—|—

Power HMC

|

V8.8.3.0 SP3

|

MB04070

|

MH01683

Power HMC

|

V8.8.4.0 SP2

|

MB04071

|

MH01684

Power HMC

|

V8.8.5.0 SP2

|

MB04074

|

MH01685

Power HMC

|

V8.8.6.0 SP1

|

MB04041

|

MH01656

Workarounds and Mitigations

None