Security Bulletin: IBM Security Access Manager Appliance is affected by GnuTLS vulnerabilities

Vulnerability Details

CVEID: CVE-2017-7869
DESCRIPTION: GnuTLS is vulnerable to a denial of service, caused by an integer overflow and heap-based buffer overflow in cdk_pkt_read function in opencdk/read-packet.c. An attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124668 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-7507
DESCRIPTION: GnuTLS is vulnerable to a denial of service, caused by a NULL pointer dereference while decoding a status response TLS extension with valid contents. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128676 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-5337
DESCRIPTION: GnuTLS could allow a remote attacker to execute arbitrary code on the system, caused by a stack or heap-based buffer overflow error. By sending a specially-crafted OpenPGP certificate, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120490 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-5336
DESCRIPTION: GnuTLS could allow a remote attacker to execute arbitrary code on the system, caused by a stack or heap-based buffer overflow error. By sending a specially-crafted OpenPGP certificate, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120489 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-5335
DESCRIPTION: GnuTLS could allow a remote attacker to execute arbitrary code on the system, caused by a stack or heap-based buffer overflow error. By sending a specially-crafted OpenPGP certificate, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120488 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-5334
DESCRIPTION: GnuTLS could allow a remote attacker to execute arbitrary code on the system, caused by a double-free memory error in gnutls_x509_ext_import_proxy() function. By sending a specially-crafted X.509 containing a Proxy Certificate Information extension, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120486 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-7444
DESCRIPTION: GnuTLS could allow a remote attacker to bypass security restrictions, caused by the failure to verify the serial length of an OCSP response by the gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c. An attacker could exploit this vulnerability using vectors involving trailing bytes left by gnutls_malloc to bypass the certificate validation mechanism.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117393 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)