Security Bulletin
Summary
Multiple vulnerabilities in Bind, glibc, net-snmp, spice affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance (CVE-2015-5722, CVE-2015-5621, CVE-2014-3565, CVE-2014-8121, CVE-2015-3247).
Vulnerability Details
CVEID: CVE-2015-5722
DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by the exit of a validating resolver due to an assertion failure in buffer.c..By parsing a malformed DNSSEC key, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106089 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2015-3247
DESCRIPTION: Red Hat spice is vulnerable to a heap-based buffer overflow, caused by improper bounds checking within worker_update_monitors_config() in spice-server. A remote attacker could overflow a buffer to crash the host QEMU-KVM process.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106182 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H)
CVEID: CVE-2014-8121
DESCRIPTION: GNU C Library (glibc) is vulnerable to a denial of service, caused by the failure to properly check if a file is open by DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS). By performing a look-up on a database while iterating over it, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102652 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-5621
DESCRIPTION: Net-SNMP is vulnerable to a denial of service, caused by incompletely parsed varBind variables being left in the list of variables by the snmp_pdu_parse() function. A remote attacker could exploit this vulnerability to cause the application to crash or possibly execute arbitrary code on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105232 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2014-3565
DESCRIPTION: Net-SNMP is vulnerable to a denial of service, caused by the improper handling of SNMP traps when started with the "-OQ" option. By sending an SNMP trap message containing a variable with a NULL type, a remote attacker could exploit this vulnerability to cause snmptrapd to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95638 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
IBM SmartCloud Provisioning 2.1 for IBM Software Virtual Appliance
Remediation/Fixes
If you are running IBM SmartCloud Provisioning 2.1 for IBM Software Virtual Appliance, contact IBM support.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
* 21 October 2015: Original copy published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
CVE-IDs: CVE-2015-5722, CVE-2015-5621, CVE-2014-3565, CVE-2014-8121, CVE-2015-3247
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21968047