AIX : Multiple Vulnerabilities (IJ54754)

🗓️ 04 Jun 2025 00:00:00Reported by TenableType

AIX is vulnerable due to multiple issues in libxml2 prior to APAR IJ54754 advisory.

Reporter	Title	Published	Views	Family All 542
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Rapid Infrastructure Automation	28 May 202514:39	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in Watson NLP affects IBM Robotic Process Automation (CVE-2024-56171).	13 Jun 202501:58	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cognos Business Intelligence Server 2017Q4 Security Updater: IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities.	15 Jun 201823:47	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in libxml2 affects IBM Cognos Analytics	15 Jun 201823:51	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in libxml2 library (CVE-2024-56171, CVE-2025-24928) affect Power HMC.	7 Jul 202505:41	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps	25 Jun 202513:52	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a' use after free' condition in libxml2 [CVE-2024-56171]	13 Jun 202516:07	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a stack-based buffer overflow in libxml2 [CVE-2025-24928]	13 Jun 202516:05	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in libxml2 affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems	14 Apr 202314:32	–	ibm
IBM Security Bulletins	Security Bulletin: libxml2 before 2.12.10 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c, affects watsonx.data	30 Jun 202510:33	–	ibm

Source	Link
ibm	www.ibm.com/support/pages/node/7235623
ibm	www.ibm.com/support/pages/apar/IJ54754
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(237754);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/06/04");

  script_cve_id(
    "CVE-2017-9047",
    "CVE-2024-56171",
    "CVE-2025-24928",
    "CVE-2025-27113"
  );

  script_name(english:"AIX : Multiple Vulnerabilities (IJ54754)");

  script_set_attribute(attribute:"synopsis", value:
"The remote AIX host is missing a security patch.");
  script_set_attribute(attribute:"description", value:
"The version of AIX installed on the remote host is prior to APAR IJ54754. It is, therefore, affected by multiple
vulnerabilities as referenced in the IJ54754 advisory.

  - A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function
    xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a
    char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is
    XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits)
    whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name
    actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write
    about size many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2,
    such as PHP, to crash. (CVE-2017-9047)

  - libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements
    in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE:
    this is similar to CVE-2017-9047. (CVE-2025-24928)

  - libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in
    pattern.c. (CVE-2025-27113)

  - libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and
    xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated
    against an XML schema with certain identity constraints, or a crafted XML schema must be used.
    (CVE-2024-56171)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.ibm.com/support/pages/node/7235623");
  script_set_attribute(attribute:"see_also", value:"https://www.ibm.com/support/pages/apar/IJ54754");
  script_set_attribute(attribute:"solution", value:
"Please apply the appropriate interim fix per APAR IJ54754.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9047");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-27113");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/06/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"AIX Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version");

  exit(0);
}

include('aix.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if ( ! get_kb_item('Host/AIX/version') ) audit(AUDIT_OS_NOT, "AIX");
if ( ! get_kb_item('Host/AIX/lslpp') ) audit(AUDIT_PACKAGE_LIST_MISSING);

if ( get_kb_item('Host/AIX/emgr_failure') ) exit(0, 'This iFix check is disabled because : ' + get_kb_item('Host/AIX/emgr_failure') );

var constraints = [
    {'release': '4.1', 'ml': '01', 'sp': '00', 'patch': 'IJ54754m0a', 'package': 'bos.rte.control', 'minfilesetver': '7.3.3.0', 'maxfilesetver': '7.3.3.0'},
    {'release': '7.3', 'ml': '03', 'sp': '00', 'patch': 'IJ54754m0a', 'package': 'bos.rte.control', 'minfilesetver': '7.3.3.0', 'maxfilesetver': '7.3.3.0'}
];

var flag = 0;
foreach var constraint (constraints) {
    var release = constraint['release'];
    var ml = constraint['ml'];
    var sp = constraint['sp'];
    var patch = constraint['patch'];
    var package = constraint['package'];
    var minfilesetver = constraint['minfilesetver'];
    var maxfilesetver = constraint['maxfilesetver'];
    if(aix_check_ifix(release: release, ml: ml, sp: sp, patch: patch, package: package, minfilesetver: minfilesetver, maxfilesetver: maxfilesetver) < 0) flag++;
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : aix_report_get()
  );
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected - AIX");

04 Jun 2025 00:00Current

7High risk

Vulners AI Score7

CVSS 25

CVSS 37.5

CVSS 3.17.8 - 9.8

EPSS0.0266

SSVC