Security Bulletin: Open Source Apache Xerces-C XML parser Vulnerabilities -- including XML4C (CVE-2016-0729)

Summary

The vulnerabilities have been addressed in the Open Source Apache Xerces-C XML parser for IBM Data Server Driver packages(DB2 Connect Instance less clients).

Vulnerability Details

CVEID: CVE-2016-0729**
DESCRIPTION:** Apache Xerces-C XML Parser library is vulnerable to a denial of service, caused by improper bounds checking during processing and error reporting. By sending specially crafted input documents, an attacker could exploit this vulnerability to cause the library to crash or possibly execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111028&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

The V9.7, V10.1, V10.5, V11.1 versions of IBM Data Server Driver packages(DB2 Connect Instance less clients) are as follows:
IBM Data Server Driver Package
IBM Data Server Driver for ODBC and CLI

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this vulnerability.

FIX:

The fix for driver package release V10.5 is in V10.5 FP8, available for download from Fix Central.
Customers running any vulnerable fixpack level of an affected Program, V9.7, V10.1 and V11.1 can download the special build containing the fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.7 FP11, DB2 V10.1 FP5 and DB2 V11.1 GA. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Refer to the following chart to determine how to proceed to obtain a needed fixpack or special build.

IBM Data Server Driver Package
HP-UX 64-bit
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-bit
Windows x86-32
Windows 64-bit, x86

IBM Data Server Driver for ODBC and CLI
HP-UX 64-bit
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-bit
Windows x86-32
Windows 64-bit, x86

IBM Data Server Driver for ODBC and CLI (32-bit)
Solaris 64-bit, SPARC
Solaris 64-bit, x86
AIX 64-bit
Linux 64-bit, pSeries
Linux 64-bit, zSeries
HP-UX 64-bit
10.1| Special Build for V10.1 FP5

IBM Data Server Driver Package
HP-UX 64-bit
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
Windows 32-bit, x86
Windows 64-bit, x86

IBM Data Server Driver for ODBC and CLI
HP-UX 64-bit
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
Windows 32-bit, x86
Windows 64-bit, x86

IBM Data Server Driver for ODBC and CLI (32-bit)
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
HP-UX 64-bit
10.5| 10.5 FP8 Fixpack
http://www.ibm.com/support/docview.wss?uid=swg24042680
11.1| Special Build for V11.1 GA

IBM Data Server Driver Package
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
Windows 32-bit, x86
Windows 64-bit, x86

IBM Data Server Driver for ODBC and CLI
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
Windows 32-bit, x86
Windows 64-bit, x86

IBM Data Server Driver for ODBC and CLI (32-bit)
Linux 64-bit, zSeries
AIX 64-Bit

For platforms not listed above, contact Technical Support

Workarounds and Mitigations

None.