Security Bulletin: Multiple vulnerabilities impact System Storage DS8000 Hardware Management Console (HMC)

Summary

Multiple vulnerabilities in the DS8000 Hardware Management Console are covered in this bulletin.
These include:
- IBM® Runtime Environment Java™ Technology Edition that is used by the DS8000
Hardware Management Console. These issues were disclosed as part of the IBM Java SDK critical patch updates in October 2015
- GNU C Library (glibc) disclosures
- strongSwan disclosure
- Network Time Protocol (NTP) disclosures

Vulnerability Details

CVEID: CVE-2015-4872**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107361 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-2207**
DESCRIPTION:** The GNU C Library (glibc) could allow a local attacker to bypass security restrictions, caused by an error in the pt_chown() function. An attacker could exploit this vulnerability to gain unauthorized access to the pseudoterminal of other users.
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/86914 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-1781**
DESCRIPTION:** GNU C Library (glibc) is vulnerable to a buffer overflow, caused by improper bounds checking by the gethostbyname_r() and other related functions. By sending a specially-crafted argument, a remote attacker could overflow a buffer and execute arbitrary code on the system elevated privileges or cause the application to crash.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102500 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-7547**
DESCRIPTION:** GNU C Library (glibc) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the nss_dns backend for the getaddrinfo() function when performing dual A/AAAA DNS queries. By sending a specially crafted DNS response, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2015-4171**
DESCRIPTION:** strongSwan could allow a remote authenticated attacker to obtain sensitive information, caused by an error in IKEv2 connections related to server authentication with a certificate and EAP or pre-shared keys. An attacker could exploit this vulnerability to obtain user credentials and other sensitive information.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/103885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVEID: CVE-2015-7691**
DESCRIPTION:** Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an error in ntp_crypto.c. An attacker could exploit this vulnerability using a packet containing an extension field with an invalid value for the length of its value field to cause ntpd to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107449 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7703**
DESCRIPTION:** Network Time Protocol (NTP) could allow a remote attacker to traverse directories on the system, caused by the failure to enforce local access only of the “pidfile” and “driftfile” configuration directives. An attacker could exploit this vulnerability to view arbitrary files on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107445 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-7848**
DESCRIPTION:** Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an multiple integer overflows when processing malicious packets. By sending a specially crafted private mode packet, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107443 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7850**
DESCRIPTION:** Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an error in the remote configuration functionality. By sending a specially crafted configuration file, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107441 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7851**
DESCRIPTION:** Network Time Protocol (NTP) could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to the save_config function containing directory traversal sequences to view arbitrary files on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107440 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2015-7855**
DESCRIPTION:** Network Time Protocol (NTP) is vulnerable to a denial of service, caused by ASSERT botch instead of returning FAIL on some invalid values by the decodenetnum() function. An attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107448 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

DS8700/DS8800 R6.3 DS8870 R7.x DS8000 R8.X

Remediation/Fixes

IBM strongly suggests that you install the vulnerability patch identified immediately below:
.

The patch CVE_1Q2016_v1.0 is available May 20th 2016 and can be applied to systems which are at**or above **the levels shown below:

Users at code levels earlier than these are advised to upgrade to the recommended code levels and then apply the patch. See <http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004456&gt;

NOTE: This patch supercedes****the patch CVE_3Q2015_v1.0 and contains all the remediations listed inhttp://www-01.ibm.com/support/docview.wss?uid=ssg1S1005375** as well as those noted in this bulletin.**

Please contact IBM support to install this patch if required.

.

This bulletin will be updated to indicate code levels which include these fixes

Workarounds and Mitigations

None