Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere Streams. (CVE-2015-8317)

Summary

There is a vulnerability in libxml2 that is used by IBM InfoSphere Streams. IBM InfoSphere Streams has addressed this vulnerability.

Vulnerability Details

CVE-ID: CVE-2015-8317
Description: libxml2 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the xmlParseXMLDecl function. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.900
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/108316&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

• • IBM InfoSphere Streams Version 1.2.1.0
• IBM InfoSphere Streams Version 2.0.0.4 and earlier
• IBM InfoSphere Streams Version 3.0.0.5 and earlier
• IBM InfoSphere Streams Version 3.1.0.7 and earlier
• IBM InfoSphere Streams Version 3.2.1.4 and earlier
• IBM InfoSphere Streams Version 4.0.1.1 and earlier
• IBM Streams Version 4.1.1.0 and earlier

Remediation/Fixes

NOTE: Fix Packs are available on IBM Fix Central.

• Version 4.1.1:
  • Apply 4.1.1 Fix Pack 1 (4.1.1.1) or higher.
• Version 4.0.1:
  • Apply 4.0.1 Fix Pack 2 (4.0.1.2) or higher.
• Version 3.2.1:
  • Apply 3.2.1 Fix Pack 5 (3.2.1.5) or higher.
• Version 3.1.0:
  • Apply 3.1 Fix Pack 8 (3.1.0.8) or higher.
• Version 3.0.0:
  • Apply 3.0 Fix Pack 6 (3.0.0.6) or higher.
• Versions 1.2 and 2.0:
  • For version 1.x and 2.x IBM recommends upgrading to a fixed, supported version/release/platform of the product. Customers who cannot upgrade and need to secure their installation should open a PMR with IBM Technical Support and request assistance securing their InfoSphere Streams system against the vulnerabilities identified in this Security Bulletin.

Workarounds and Mitigations

None