Security Bulletin: Multiple vulnerabilities in GNU C library (glibc) affects IBM Storwize V7000 Unified

Summary

IBM Storwize V7000 Unified is shipped with GNU glibc, for which a fix is available for security vulnerabilities.

Vulnerability Details

GNU C library buffer overflow and denial of service vulnerabilities affect IBM Storwize V7000 Unified.

CVEID: CVE-2017-15804 DESCRIPTION: GNU C Library (aka glibc or libc6) is vulnerable to a buffer overflow, caused by improper bounds checking by glob function in glob.c. By using a specially-crafted file, a local attacker could overflow a buffer.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133996&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-15671 DESCRIPTION: GNU C Library is vulnerable to a denial of service, caused by a memory leak in the glob function in glob.c. A remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133909&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-15670 DESCRIPTION: GNU C Library is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the glob function in glob.c. By sending a specially-crafted string, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133915&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2011-5320 DESCRIPTION: GNU glibc is vulnerable to a denial of service, caused by a flaw in the scanf and related functions. By using a large string of os, a local attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133667&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Storwize V7000 Unified
The product is affected when running code releases 1.6.0.0 to 1.6.2.4. The product running unsupported code releases 1.5 or earlier are also affected.

Remediation/Fixes

A fix for these issues is in version v1.6.2.5 of IBM Storwize V7000 Unified. Customers running an affected version of IBM Storwize V7000 Unified should upgrade to 1.6.2.5 or a later version.

Latest Storwize V7000 Unified Software

Systems running an unsupported version (v1.5 or earlier) should be upgraded to the current release containing the security fixes.

Workarounds and Mitigations

Mitigation(s) : Although IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.