IBM Support

Security Bulletin: Vulnerability in ICU4C affects IBM Tealeaf Customer Experience (CVE-2016-6293)

Created by Charles Hornig on
Published URL:
https://www.ibm.com/support/pages/node/286129
286129

Security Bulletin


Summary

IBM Tealeaf Customer Experience uses a version of ICU4C with a reported security issue.

Vulnerability Details

CVEID: CVE-2016-6293
DESCRIPTION: International Components for Unicode (ICU) could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read in the uloc_acceptLanguageFromHTTP function. An attacker could exploit this vulnerability using a call with a long httpAcceptLanguage argument to execute arbitrary code on the system. Note: This vulnerability also affect PHP.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115536 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Tealeaf Customer Experience 9.0.1-9.0.2

Remediation/Fixes

Product

VRMF
Remediation/First Fix
IBM Tealeaf Customer Experience
9.0.2A
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%20Marketing%20Management&product=ibm/Other+software/Tealeaf+Customer+Experience&release=All&platform=All&function=fixId&fixids=9.0.2.5269_9.0.2A_IBMTealeaf_CXUpgrade_FixPack5&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc
IBM Tealeaf Customer Experience
9.0.2
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%20Marketing%20Management&product=ibm/Other+software/Tealeaf+Customer+Experience&release=All&platform=All&function=fixId&fixids=9.0.2.1283_IBMTealeaf_CXUpgrade_FixPack5&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc
IBM Tealeaf Customer Experience
9.0.1A
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%20Marketing%20Management&product=ibm/Other+software/Tealeaf+Customer+Experience&release=All&platform=All&function=fixId&fixids=9.0.1.5118_9.0.1A_IBMTealeaf_CXUpgrade_FixPack6&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc
IBM Tealeaf Customer Experience
9.0.1
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%20Marketing%20Management&product=ibm/Other+software/Tealeaf+Customer+Experience&release=All&platform=All&function=fixId&fixids=9.0.1.1128_9.0.1_IBMTealeaf_CXUpgrade_FixPack6&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

16 December 2016: Original version published.
22 May 2017: Add v9.0.1 and update links.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

Security Bulletin History
Submitted for review by Charles Hornig (chornig@us.ibm.com) at 15:22:04 on 11/28/2016.
Security Bulletin Reviewer review completed with comments ''review complete'' by Guncha Malik (gmalik@in.ibm.com) at 02:08:19 EST on 11/29/2016.
PSIRT Operations review rejected with comments ''No executive approval or ''Missing Code Fix'' details are recorded for v9.1(A). The remediation plan lists this as having a ''Code Fix'', but the security bulletin is telling clients to contact technical support for guidance. Please adjust accordingly and re-submit for approval once complete.'' by Wendell J. Bouknight (bouknigh@us.ibm.com) at 11:19:06 EST on 11/29/2016.
Modified and submitted for review by Charles Hornig (chornig@us.ibm.com) at 12:01:22 on 11/30/2016.
Security Bulletin Reviewer review rejected with comments ''Security bulletin indicates fix will be delivered on 9.0.2 (9.0.2A) only while remediation plan indicates that fix will be delivered on both 9.0.1 (9.0.1A) and 9.0.2 (9.0.2A). Please fix this.'' by Guncha Malik (gmalik@in.ibm.com) at 00:58:48 EST on 12/10/2016.
Modified and submitted for review by Charles Hornig (chornig@us.ibm.com) at 12:41:39 on 12/13/2016.
Security Bulletin Reviewer review completed with comments ''review complete. Bulletin will be updated once fixes for other planned versions are released.'' by Guncha Malik (gmalik@in.ibm.com) at 12:45:08 EST on 12/13/2016.
PSIRT Operations review rejected with comments ''Bulletin publication date only aligns with one (v9.2) of two fixes in the Remediation Plan. Please consult and record Legal''s agreement to publish a bulletin in this manner and the exact verbiage to be used.'' by Wendell J. Bouknight (bouknigh@us.ibm.com) at 13:36:42 EST on 12/13/2016.
Modified and submitted for review by Charles Hornig (chornig@us.ibm.com) at 16:12:01 on 12/13/2016.
Security Bulletin Reviewer review completed with comments ''review complete'' by Guncha Malik (gmalik@in.ibm.com) at 11:37:42 EST on 12/14/2016.
Security Bulletin Reviewer review completed with comments ''review complete'' by Guncha Malik (gmalik@in.ibm.com) at 12:09:21 EST on 12/14/2016.
Security Bulletin Reviewer review completed with comments ''PSIRT Ops pushing record forward through process due to restart bug.'' by Shryl A. Tidmore (stidmore@us.ibm.com) at 17:12:51 EST on 12/14/2016.
PSIRT Operations review completed with comments ''noted legal review meeting took place. pushing record to legal for their review'' by Shryl A. Tidmore (stidmore@us.ibm.com) at 17:19:40 EST on 12/14/2016.
Reviewing Attorney review completed with comments ''Review complete. Bulletin will be updated in 1Q2017 when additional fixes are available.'' by VANESSA A. WITT (vanewitt@us.ibm.com) at 11:37:54 EST on 12/15/2016.
Security Bulletin Reviews Complete by deadmin (deadmin) at 11:37:55 EST on 12/15/2016.

[{"Product":{"code":"SSERNK","label":"Tealeaf Customer Experience"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
16 June 2018

UID

swg21994863

Page Feedback