IBM Support

IBM PureApplication System Version 2.1.2.3

Download


Abstract

This document lists the fixes contained in IBM PureApplication System 2.1.2.3.

Download Description

To download the interim fix, go to the PureApplication System product page on Fix Central.

Version 2.1.2.3 includes fixes for these security vulnerabilities:

CVEID: CVE-2016-2108
DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by a buffer underflow when deserializing untrusted ASN.1 structures and later reserializes them. An attacker could exploit this vulnerability to corrupt memory and trigger an out-of-bounds write and execute arbitrary code on the system.

CVEID: CVE-2016-2107
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error when the connection uses an AES CBC cipher and the server support AES-NI. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt traffic.

CVEID: CVE-2016-2105
DESCRIPTION: OpenSSL is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the EVP_EncodeUpdate() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVEID: CVE-2016-2106
DESCRIPTION: OpenSSL is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the EVP_EncryptUpdate() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVEID: CVE-2016-2109
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory allocation error. By reading specially crafted ASN.1 data from a BIO using functions such as d2i_CMS_bio(), an attacker could exploit this vulnerability to consume all available resources and exhaust memory.

CVEID: CVE-2016-3426
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.

CVEID: CVE-2016-0264
DESCRIPTION: A buffer overflow vulnerability in the IBM JVM facilitates arbitrary code execution under certain limited circumstances.


This release does not include any Authorized Program Analysis Reports (APARs).

Off
[{"Product":{"code":"SSM8NY","label":"PureApplication System"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF002","label":"AIX"}],"Version":"2.1.2.3","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

More support for:
PureApplication System

Software version:
2.1.2.3

Operating system(s):
Linux, AIX

Document number:
587267

Modified date:
15 June 2018

UID

swg24042444

Manage My Notification Subscriptions

Page Feedback