Security Bulletin
Summary
A vulnerability exists in the version of ICU4C shipped by IBM WebSphere MQ that provides support for the Managed File Transfer (MFT) process controller.
Vulnerability Details
CVEID: CVE-2011-4599
DESCRIPTION: International Components for Unicode (ICU) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the _canonicalize( ) function. By supplying a negative len value, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/71726 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Products and Versions
The ICU4C vulnerability only affects MQ installations that have Managed File Transfer (MFT) components installed.
IBM MQ 8.0
Fixpack 8.0.0.3 and earlier maintenance levels
IBM WebSphere MQ 7.5
Fixpack 7.5.0.5 and earlier maintenance levels
Remediation/Fixes
IBM MQ 8.0
Apply fixpack 8.0.0.4 or later
IBM WebSphere MQ 7.5
Apply fixpack 7.5.0.6 or later
Get Notified about Future Security Bulletins
References
Change History
11 March 2016 - Original version published
11 April 2016 - Clarify this vulnerability only affects Managed File Transfer installations
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21975091