Lucene search

K
ibmIBME228AE26D557AC2FB8C5AF13926D0970F3BAC5922DC3700312E52FD8E2BD1B47
HistoryJul 13, 2018 - 5:44 p.m.

Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in libxml2

2018-07-1317:44:33
www.ibm.com
12

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.106 Low

EPSS

Percentile

95.0%

Summary

Vulnerabilities in libxml2 have been addressed by IBM RackSwitch firmware products listed below.

Vulnerability Details

CVEID: CVE-2017-5130 DESCRIPTION: Google Chrome is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by libxml2. By persuading a victim to visit a specially-crafted Web site, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 6.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133570&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-16932 DESCRIPTION: Xmlsoft libxml2 is vulnerable to a denial of service, caused by an infinite recursion issue in parameter entities. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to exhaust available memory on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135489&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-15412 DESCRIPTION: Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in libXML. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136046&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-5131 DESCRIPTION: Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in libxml. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/115396&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

Affected Products and Versions

Product

|

Affected Version

โ€”|โ€”

IBM RackSwitch G8052

|

7.9

IBM RackSwitch G8052

|

7.11

IBM RackSwitch G8124/G8124E

|

7.9

IBM RackSwitch G8124/G8124E

|

7.11

IBM RackSwitch G8264

|

7.9

IBM RackSwitch G8264

|

7.11

IBM RackSwitch G8264CS

|

7.8

IBM RackSwitch G8264T

|

7.9

IBM RackSwitch G8316

|

7.9

IBM RackSwitch G8332

|

7.7

Remediation/Fixes

Firmware fix versions are available on Fix Central: http://www.ibm.com/support/fixcentral/

Product

|

Fix Version

โ€”|โ€”

IBM RackSwitch G8052 (G8052_Image_7.9.22.0)

|

7.9.22.0

IBM RackSwitch G8052
(G8052_Image_7.11.12.0)

|

7.11.12.0

IBM RackSwitch G8124/G8124E
(G8124_G8124E_Image_7.9.22.0)

|

7.9.22.0

IBM RackSwitch G8124/G8124E
(G8124_G8124E_Image_7.11.12.0)

|

7.11.12.0

IBM RackSwitch G8264
(G8264_Image_7.9.22.0)

|

7.9.22.0

IBM RackSwitch G8264
(G8264_Image_7.11.12.0)

|

7.11.12.0

IBM RackSwitch G8264CS
(G8264CS_Image_7.8.20.0)

|

7.8.20.0

IBM RackSwitch G8264T
(G8264T_Image_7.9.22.0)

|

7.9.22.0

IBM RackSwitch G8316
(G8316_Image_7.9.22.0)

|

7.9.22.0

IBM RackSwitch G8332
(G8332_Image_7.7.28.0)

|

7.7.28.0

Workarounds and Mitigations

None

CPENameOperatorVersion
system x->microsoft datacentereqany

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.106 Low

EPSS

Percentile

95.0%