Lucene search

K
ibmIBMD81188C25A020810F359292BDCB7E8649A6E532227B19A89FF9C9B287580BB23
HistoryJun 18, 2018 - 1:35 a.m.

Security Bulletin: IBM Flex System Manager (FSM) is affected by php5 vulnerabilities (CVE-2016-9933, CVE-2016-9935)

2018-06-1801:35:18
www.ibm.com
6

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Summary

Multiple security vulnerabilities have been identified in php5 that is embedded in IBM FSM. This bulletin addresses these issues.

Vulnerability Details

CVEID: CVE-2016-9933**
DESCRIPTION:** GD Graphics Library (libgd) as used in PHP is vulnerable to a denial of service, caused by a stack consumption vulnerability in gdImageFillToBorder function in gd.c. An attacker could exploit this vulnerability using specially-crafted imagefilltoborder calls to cause a segmentation fault.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120376 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-9935**
DESCRIPTION:** PHP vulnerable to a denial of service, caused by an out-of-bounds read and memory error in php_wddx_push_element function in ext/wddx/wddx.c. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120374 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Flex System Manager 1.3.4.0
Flex System Manager 1.3.3.0
Flex System Manager 1.3.2.1
Flex System Manager 1.3.2.0

Remediation/Fixes

IBM recommends updating the FSM using the instructions referenced in this table.

Product |

VRMF |

Remediation
—|—|—

Flex System Manager |

1.3.4.0 |

Install fsmfix1.3.4.0_IT19262_IT19315_IT19320

Flex System Manager |

1.3.3.0 |

Install fsmfix1.3.3.0_IT19262_IT19315_IT19320

Flex System Manager |

1.3.2.1
1.3.2.0 |

Install fsmfix1.3.2.0_IT19262_IT19315_IT19320

For all VRMF not listed in this table, IBM recommends upgrading to a fixed and supported version/release of the product.

For a complete list of FSM security bulletins refer to this technote: http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex--NULL--E

Workarounds and Mitigations

None

CPENameOperatorVersion
flex system manager nodeeqany

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Related for D81188C25A020810F359292BDCB7E8649A6E532227B19A89FF9C9B287580BB23