Security Bulletin: Multiple vulnerabilities in curl affect IBM Flex System Manager (FSM)

Summary

Multiple security vulnerabilities have been discovered in curl that is embedded in the IBM FSM. This bulletin addresses these vulnerabilities.

Vulnerability Details

CVEID: CVE-2015-3143**
DESCRIPTION:** libcurl could allow a remote attacker from within the local network to bypass security restrictions, caused by the re-use of recently authenticated connections. By sending a new NTLM-authenticated request, an attacker could exploit this vulnerability to perform unauthorized actions with the privileges of the victim.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102888 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-3148**
DESCRIPTION:** libcurl and cRUL could allow a remote attacker to bypass security restrictions, caused by improper use of the negotiate authentication method. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions and connect as other users.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102878 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-3153**
DESCRIPTION:** cURL/libcURL could allow a remote attacker to obtain sensitive information, caused by custom HTTP headers with sensitive content being sent to the server and intermediate proxy by the CURLOPT_HTTPHEADER option. An attacker could exploit this vulnerability to obtain authentication cookies or other sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102989 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-3613**
DESCRIPTION:** cURL/libcURL could allow a remote attacker to bypass security restrictions, caused by the failure to properly detect and reject domain names for IP addresses. An attacker could exploit this vulnerability to send cookies to an incorrect site.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95925 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-3707**
DESCRIPTION:** cURL/libcURL could allow a remote attacker to obtain sensitive information, caused by an error in the curl_easy_duphandle() function. An attacker could exploit this vulnerability to corrupt heap memory and obtain sensitive information or cause a denial of service.
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/98562 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVEID: CVE-2014-8150**
DESCRIPTION:** libcURL is vulnerable to CRLF injection, caused by the improper handling of URLs with embedded end-of-line characters. By persuading a victim to click on a specially-crafted URL link using an HTTP proxy, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100567 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Flex System Manager 1.3.4.x
Flex System Manager 1.3.3.x
Flex System Manager 1.3.2.x
Flex System Manager 1.3.1.x
Flex System Manager 1.3.0.x
Flex System Manager 1.2.x.x
Flex System Manager 1.1.x.x

Remediation/Fixes

IBM recommends updating the FSM using the instructions referenced in this table.

Warning: Agents older than version 6.3.5 must be updated using the Technote listed in these Remediation plans before this FSM fix is installed or you will permanently lose contact with the endpoint with agents older than version 6.3.5

Product |

VRMF |

APAR |

Remediation
—|—|—|—
Flex System Manager|

1.3.4.x |

IT12601

| Verify the required Java updates have been completed, then install fsmfix1.3.4.0_IT11636_IT12081_IT12596_IT12597_IT12599_IT12601_IT12602

Instructions for verifying installation of the Java updates can be found in the “Confirm the fixes were applied properly” section of Technote 761981453

Flex System Manager|

1.3.3.x |

IT12601

| Verify the required Java updates have been completed, then install fsmfix1.3.3.0_IT11636_IT12081_IT12596_IT12597_IT12599_IT12601_IT12602

Instructions for verifying installation of the Java updates can be found in the “Confirm the fixes were applied properly” section of Technote 736218441

Flex System Manager|

1.3.2.x |

IT12601

| Verify the required Java updates have been completed, then install fsmfix1.3.2.0_IT11636_IT12081_IT12596_IT12597_IT12599_IT12601_IT12602

Instructions for verifying installation of the Java updates can be found in the “Confirm the fixes were applied properly” section of Technote 736218441

Flex System Manager|

1.3.1.x |

IT12601

| IBM recommends upgrading to a fixed, supported version/release and following the appropriate remediation for all vulnerabilities.
Flex System Manager|

1.3.0.x |

IT12601

| IBM recommends upgrading to a fixed, supported version/release and following the appropriate remediation for all vulnerabilities.
Flex System Manager|

1.2.x.x |

IT12601

| IBM recommends upgrading to a fixed, supported version/release and following the appropriate remediation for all vulnerabilities.
Flex System Manager|

1.1.x.x |

IT12601

| IBM recommends upgrading to a fixed, supported version/release and following the appropriate remediation for all vulnerabilities.

Workarounds and Mitigations

None