IBMD98028FD9397A3FAE5F1598868CE5B6112338ED801FDEC427D92D56BABD09BC8Security Bulletin: Vulnerability with the open source Perl Compatible Regular Expression (PCRE) library used in IBM Aspera Shares 1.9.2 and earlier
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:P/I:P/A:C
Question
Security Bulletin: Vulnerability with the open source Perl Compatible Regular Expression (PCRE) library used in IBM Aspera Shares 1.9.2 and earlier
Answer
Summary
There are multiple vulnerabilities with earlier versions of PCRE which was used by the IBM Aspera Shares Application.
Vulnerability Details
CVEID: CVE-2015-8380 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of a pattern with a \01 string by the pcre_exec function. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108467> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8381 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of patterns with certain group references by the compile_regex function. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108466> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8382 DESCRIPTION: PCRE could allow a remote attacker to obtain sensitive information caused by the mishandling of the pattern and related patterns involving (*ACCEPT) by the match function. An attacker could exploit this vulnerability using a specially crafted regular expression to obtain sensitive information or cause a denial of service.
- CVSS Base Score: 6.5
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108465> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID: CVE-2015-8383 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of certain repeated conditional groups. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108464> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8384 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of pattern and related patterns with certain recursive back references. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108463> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8385 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of pattern and related patterns with certain forward references. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108462> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8386 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of the interaction of lookbehind assertions and mutually recursive subpatterns. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108461> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8387 DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system caused by an integer overflow when subroutine calls are mishandled. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108460> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8388 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling ofpattern and related patterns with an unmatched closing parenthesis. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108459> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8389 DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system caused by the mishandling of patterns. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108458> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8390 DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system caused by the mishandling of substrings in character classes. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108457> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8391 DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system caused by the mishandling of certain nesting by the pcre_compile function. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108456> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8392 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of certain instances of the (?| substring. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108455> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8393 DESCRIPTION: PCRE could allow a remote attacker to obtain sensitive information caused by the mishandling of the -q option for binary files by pcregrep. An attacker could exploit this vulnerability using a specially crafted file to obtain sensitive information.
- CVSS Base Score: 5.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108454> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2015-8394 DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system caused by the mishandling of digits. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108453> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2015-8395
DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system caused by the mishandling of certain references. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108452> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-3210 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow. By sending a specially-crafted regular expression an attacker could overflow a buffer and execute arbitrary code on the system.
- CVSS Base Score: 7.5
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103511> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2015-2327 DESCRIPTION: PCRE is vulnerable to a denial of service caused by the improper handling of patterns with certain recursion. A remote attacker could exploit this vulnerability using a specially crafted regular expression to cause a segmentation fault.
- CVSS Base Score: 5.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109275> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2015-2328 DESCRIPTION: PCRE is vulnerable to a denial of service caused by the improper handling of patterns with certain internal recursive back references. A remote attacker could exploit this vulnerability using a specially crafted regular expression to cause a segmentation fault.
- CVSS Base Score: 5.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109276> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-1283 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow caused by the improper handling of patterns by the pcre_compile2() function. By using a specially crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109363 for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2014-9769 DESCRIPTION: PCRE is vulnerable to a denial of service caused by the failure to properly use table jumps to optimize nested alternatives by pcre_jit_compile.c. A remote attacker could exploit this vulnerability using a specially crafted string to corrupt the stack and cause a segmentation fault.
- CVSS Base Score: 5.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111793> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-3191 DESCRIPTION: PCRE and PCRE2 are vulnerable to a stack-based buffer overflow caused by the improper handling of the (*ACCEPT) substring by the compile_branch function in pcre_compile.c. By using a specially-crafted regular expression a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
- CVSS Base Score: 7.3
- CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111583> for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
IBM Aspera Shares Application 1.9.2 or earlier
Remediation/Fixes
Upgrade to IBM Aspera Shares Application 1.9.4 or later for Linux and 1.9.6 or later for Windows from the Aspera downloads site.
For unsupported versions of IBM Aspera Shares Application IBM recommends upgrading to a fixed supported version/release/platform of the product.
Workarounds and Mitigations
None
References
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
30-September 2016: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST) the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
[{“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Product”:{“code”:“SS8NDZ”,“label”:“IBM Aspera”},“Component”:“”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“All Versions”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm aspera | eq | any |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:P/I:P/A:C