IBM Support

Security Bulletin: Vulnerabilities in glibc affect ”WebSphere Message Broker v8 HVE” and “IBM Integration Bus V9 HVE” (CVE-2014-5119)

Created by Veena Ramachandran on
Published URL:
https://www.ibm.com/support/pages/node/252361
252361

Security Bulletin


Summary

A glibc vulnerability was disclosed in September 2014. This bulletin addresses this vulnerability that has been referred to as “glibc: off-by-one error leading to a heap-based buffer overflow flaw in __gconv_translit_find() “. glibc is shipped with ”WebSphere Message Broker v8 HVE” and “IBM Integration Bus V9 HVE” products.

Vulnerability Details

CVE-ID: CVE-2014-5119

DESCRIPTION: The GNU C Library (glibc) is vulnerable to a heap-based buffer overflow, caused by an off-by-one error in the __gconv_translit_find() function. By setting the CHARSET environment variable to a malicious value, a local attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with root privileges.

CVSS Base Score: 7.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95044 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Affected Products and Versions

  • WebSphere Message Broker v8 HVE
  • IBM Integration Bus V9 HVE

Remediation/Fixes

IBM recommends that you review your entire environment to identify vulnerable releases of glibc including your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information.

Workarounds and Mitigations

None known

Get Notified about Future Security Bulletins

References

Off

Change History

1st October 2014 : Original Version Published
9th September 2015 : Revised expiry date of the document

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSNQGH","label":"IBM Integration Bus Hypervisor Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

WMB IIB

Document Information

Modified date:
15 June 2018

UID

swg21685819