Security Bulletin: Security vulnerabilities have been identified in bzip2 shipped with IBM License Metric Tool v9.

Summary

There are two vulnerabilities in bzip2 shipped with IBM License Metric Tool. Those vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2016-3189
**DESCRIPTION:**Bzip2 is vulnerable to a denial of service, caused by a use-after-free error in the bzip2recover. By persuading a victim to open a specially-crafted bzip2 file, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/114307 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-12900
**DESCRIPTION:**bzip2 is vulnerable to a denial of service, caused by an out-of-bounds write flaw when there are many selectors in the BZ2_decompress function in decompress.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162822 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

Upgrade to version 9.2.34 or later using the following procedure:

In BigFix console, expand IBM License Reporting (ILMT) node under Sites node in the tree panel.
Click Fixlets and Tasks node. Fixlets and Tasks panel will be displayed on the right.
In the Fixlets and Tasks panel locate Upgrade to the latest version of IBM License Metric Tool 9.x fixlet and run it against the computer that hosts your server.

Workarounds and Mitigations

None