Security Bulletin: Multiple vulnerabilities in PHP and memcached libraries affect IBM Tealeaf Customer Experience

Created by Charles Hornig on Tue, 08/02/2016 - 09:31

Published URL:

https://www.ibm.com/support/pages/node/548581

548581

Security Bulletin

Summary

The IBM Tealeaf Customer Experience PCA component uses versions of PHP and memcached with reported security issues.

Vulnerability Details

CVEID: CVE-2013-0179
DESCRIPTION: memcached is vulnerable to a denial of service, caused by an error in the process_bin_delete() function within memcached.c file when printing the terminated keys to stderr. By sending a specially-crafted request to delete a key using memrm service, a remote attacker could exploit this vulnerability to cause the segmentation fault and application to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90535 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-7290
DESCRIPTION: memcached is vulnerable to a denial of service, caused by an error in the do_item_get() function within items.c file when printing the terminated keys to stderr. By sending a specially-crafted request to delete a key using memrm service, a remote attacker could exploit this vulnerability to cause the segmentation fault and application to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90540 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-7291
DESCRIPTION: memcached is vulnerable to a denial of service, caused by an error in the process_bin_delete() function within memcached.c file when printing the terminated keys to stderr. By sending a specially-crafted request to delete a key, a remote attacker could exploit this vulnerability to cause the segmentation fault and application to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90542 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-8865
DESCRIPTION: PHP could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of continuation-level jumps by the file_check_mem function. An attacker could exploit this vulnerability using a specially crafted magic file to execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113955 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-2554
DESCRIPTION: PHP is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by ext/phar/tar.c. By using a malformed TAR archive, a remote attacker could overflow a buffer and execute arbitrary code on the system cause the application to crash.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113825 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-4072
DESCRIPTION: PHP could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of \0 characters by the Phar extension. An attacker could exploit this vulnerability using a specially crafted filename to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113816 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Tealeaf Customer Experience v8.0-v9.0.2

Remediation/Fixes

Product	VRMF	Remediation/First Fix
IBM Tealeaf Customer Experience	9.0.2A	`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.2A-tealeaf-pca-3732-5_SecurityRollup_FixPack`
IBM Tealeaf Customer Experience	9.0.2	`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.2-tealeaf-pca-3682-5_SecurityRollup_FixPack`
IBM Tealeaf Customer Experience	9.0.1A	`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1A-tealeaf-pca-3724-5_SecurityRollup_FixPack`
IBM Tealeaf Customer Experience	9.0.1	`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.1-tealeaf-pca-3673-5_SecurityRollup_FixPack`
IBM Tealeaf Customer Experience	9.0.0, 9.0.0A	You can contact the Technical Support team for guidance.
IBM Tealeaf Customer Experience	8.8	`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.8-tealeaf-pca-3625-5_SecurityRollup_FixPack`
IBM Tealeaf Customer Experience	8.7	`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.7-tealeaf-pca-3615-5_SecurityRollup_FixPack`
IBM Tealeaf Customer Experience	8.6 and earlier	You can contact the Technical Support team for guidance.

For v9.0.0, 9.0.0A, and versions before v8.7, IBM recommends upgrading to a later supported version of the product.

Workarounds and Mitigations

You can contact the Technical Support team for further guidance.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Change History

04 Aug 2016: Initial version

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSERNK","label":"Tealeaf Customer Experience"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}}]

Tips

Security Bulletin: Multiple vulnerabilities in PHP and memcached libraries affect IBM Tealeaf Customer Experience

Security Bulletin

Summary

Vulnerability Details

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

Get Notified about Future Security Bulletins

References

Change History

Disclaimer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?

Tips

Security Bulletin: Multiple vulnerabilities in PHP and memcached libraries affect IBM Tealeaf Customer Experience

Security Bulletin

Summary

Vulnerability Details

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

Get Notified about Future Security Bulletins

References

Related Information

Change History

Disclaimer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?