SB2025021713 - Multiple vulnerabilities in IBM Flex System Chassis Management Module (CMM)

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025021713

SB2025021713 - Multiple vulnerabilities in IBM Flex System Chassis Management Module (CMM)

Published: February 17, 2025

Security Bulletin ID SB2025021713
Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Heap-based buffer overflow (CVE-ID: CVE-2017-7868)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error in utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function in International Components for Unicode (ICU) for C/C++ before 2017-02-13. A remote unauthenticated attacker can trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Heap-based buffer overflow (CVE-ID: CVE-2017-7867)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error in utf8TextAccess() function in common/utext.cpp and the utext_moveIndex32* function in International Components for Unicode (ICU) for C/C++ before 2017-02-13. A remote unauthenticated attacker can trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Stack-based buffer overflow (CVE-ID: CVE-2017-17484)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to stack-based buffer overflow when the ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion. A remote unauthenticated attacker can supply a specially crafted string, as demonstrated by ZNC, trigger memory corruption and cause the service to crash.


4) Integer overflow (CVE-ID: CVE-2017-15422)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to integer overflow in ICU. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Install update from vendor's website.

References