Security Bulletin: Vulnerability in International Components for Unicode (ICU4C) affects IBM InfoSphere DataStage (CVE-2016-7415)

Summary

An International Components for Unicode (ICU4C) vulnerability was addressed by IBM InfoSphere DataStage.

Vulnerability Details

CVEID: CVE-2016-7415 DESCRIPTION: International Components for Unicode (ICU) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the Locale class in common/locid.cpp. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117035 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM InfoSphere Information DataStage: versions 8.7, 9.1, 11.3, and 11.5
IBM InfoSphere Information Server on Cloud: version 11.5

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
InfoSphere DataStage, Information Server on Cloud| 11.5| JR57228| --Apply IBM InfoSphere DataStage Security patch
InfoSphere DataStage| 11.3| JR57228| --Apply IBM InfoSphere DataStage Security patch
InfoSphere DataStage| 9.1| JR57228| --Apply IBM InfoSphere DataStage Security patch
InfoSphere DataStage| 8.7| JR57228| --Contact IBM Customer Support

Note:
For IBM InfoSphere Information Server version 8.7, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Contact Technical Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with Information Server Technical Support.

Workarounds and Mitigations

None