IBM PureApplication Version 2.2.5.2

To download the interim fix, go to the IBM PureApplication System product page on Fix Central.

Version 2.2.5.2 includes fixes for these security vulnerabilities:

CVEID: CVE-2017-3736
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.

CVEID: CVE-2017-3737
DESCRIPTION: An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and high availability impact.

CVEID: CVE-2017-3738
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key.
Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701.

CVEID: CVE-2018-1301
DESCRIPTION: Apache HTTPD is vulnerable to a denial of service, caused by an out-of-bounds access error after a header size limit has been reached reading the HTTP header. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to cause the service to crash.

CVEID: CVE-2018-1303
DESCRIPTION: HTTP request header could have crashed the Apache HTTP Server due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users.

CVEID: CVE-2018-3639
DESCRIPTION: Multiple Intel CPU's could allow a local attacker to obtain sensitive information, caused by utilizing sequences of speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to bypass security restrictions and gain read access to privileged memory. Note: This vulnerability is the Speculative Store Bypass (SSB), also known as Variant 4 or "SpectreNG".

CVE-ID: CVE-2018-1000301
Description: curl is vulnerable to a denial of service, caused by heap-based buffer over-read. By sending a specially crafted RTSP response, a remote attacker could overflow a buffer and possibly obtain sensitive information or cause the application to crash.

The following tables contain the Authorized Program Analysis Reports (APARs) and other fixes that are included in this release. If an integrated pattern or component is not listed, there were no fixes for that pattern or component in this version. The upgrade recommendation is to move directly to 2.2.5.2.

 

APAR	Abstract
IT24849	PureApplication System: Unable to add description while creating description through pure.cli
IT25009	PureApplication System: CWZIP5105W Unexpected database error: The value of a host variable in the EXECUTE or OPEN statement is out of range for its corresponding use.