IBM Support

SE69050 - OSP-DHCP/FIX CVE-2018-5732 AND CVE-2018-5733 FOR ISC DHCP

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 APAR (Authorized Program Analysis Report)

Abstract

OSP-DHCP/FIX CVE-2018-5732 AND CVE-2018-5733 FOR ISC DHCP

Error Description

ISC released CVE-2018-5732 and CVE-2018-5733.                  
CVE-2018-5732: Failure to properly bounds check a buffer used  
for processing DHCP options allows a malicious server (or an    
entity masquerading as a server) to cause a buffer overflow (and
resulting crash) in dhclient by sending a response containing a
specially constructed options section.                          
CVE-2018-5733: A malicious client which is allowed to send very
large amounts of traffic (billions of packets) to a DHCP server
can eventually overflow a 32-bit reference counter, potentially
causing dhcpd to crash.                                        

Problem Summary

****************************************************************
* PROBLEM: (SE69050) Licensed Program = 5770SS1 for i 7.1,     *
*                                        i 7.2, and i 7.3      *
*           Security                                           *
****************************************************************
* USERS AFFECTED: All IBM i operating system users using       *
*                 integrated application server or integrated  *
*                 web services server.                         *
****************************************************************
* RECOMMENDATION: Apply PTF SI67242 for i 7.1.                 *
*                 Apply PTF SI67240 for i 7.2.                 *
*                 Apply PTF SI67239 for i 7.3.                 *
****************************************************************
ISC released CVE-2018-5732 and CVE-2018-5733.                  
CVE-2018-5732: Failure to properly bounds check a buffer used  
for processing DHCP options allows a malicious server (or an    
entity masquerading as a server) to cause a buffer overflow (and
resulting crash) in dhclient by sending a response containing a
specially constructed options section.                          
CVE-2018-5733: A malicious client which is allowed to send very
large amounts of traffic (billions of packets) to a DHCP server
can eventually overflow a 32-bit reference counter, potentially
causing dhcpd to crash.                                        

Problem Conclusion

Fixed the problems with the ISC-provided fixes.                
                                                               
Note: Please ignore the fix if ISC DHCP server is not used.    

Temporary Fix

                       *********                                
                       * HIPER *                                
                       *********                                

Comments

Circumvention


PTFs Available

R710 SI76508  1000

R720 SI67240  8249

R730 SI67239  8242

Affected Modules


         
         

Affected Publications

Summary Information

Status............................................CLOSED PER
HIPER...........................................Yes
Component..................................5770SS1DN
Failing Module..........................RCHMGR
Reported Release...................R730
Duplicate Of..............................




IBM i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0; 7.2.0; 7.3.0","Product":{"code":"SWG60","label":"IBM i"},"Component":"5770SS1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
17 September 2021