SB2017050826 - Multiple vulnerabilities in IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017050826

SB2017050826 - Multiple vulnerabilities in IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems

Published: May 8, 2017 Updated: July 20, 2023

Security Bulletin ID SB2017050826
Severity
Low
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Heap-based buffer over-read (CVE-ID: CVE-2017-9050)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the xmlDictAddString function of XMLSoft libxml2 due to improper bounds checking in the dict.c code. A remote attacker can send a specially crafted request, trigger heap-based buffer over-read condition and cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.


2) Heap-based buffer over-read (CVE-ID: CVE-2017-9049)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the xmlDictComputeFastKey function of XMLSoft libxml2 due to improper bounds checking in the dict.c code. A remote attacker can send a specially crafted request, trigger heap-based buffer over-read condition and cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.


3) Stack-based buffer overflow (CVE-ID: CVE-2017-9048)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the xmlSnprintfElementContent function of XMLSoft libxml2 due to improper bounds checking in the valid.c code. A remote attacker can send a specially crafted request, trigger stack-based buffer overflow condition and cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.


4) Memory corruption (CVE-ID: CVE-2017-9047)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the xmlSnprintfElementContent function of XMLSoft libxml2 due to improper memory handling by the valid.c source code. A remote attacker can send a specially crafted XML file, trigger memory corruption and cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.


5) XML External Entity injection (CVE-ID: CVE-2016-9318)

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.


Remediation

Install update from vendor's website.

References