Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Platform Software

Vulnerability Details

CVEID:   CVE-2021-20294
DESCRIPTION:   GNU Binutils is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the readelf program. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201042 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2021-3487
DESCRIPTION:   GNU Binutils is vulnerable to a denial of service, caused by a flaw in the read_section() function in dwarf2.c in the BFD library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause excessive memory consumption.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/200073 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:   CVE-2020-35448
DESCRIPTION:   GNU Binutils is vulnerable to a denial of service, caused by a heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd). By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193875 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:   CVE-2020-16590
DESCRIPTION:   GNU Binutils is vulnerable to a denial of service, caused by a double free vulnerability in process_symbol_table in Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192876 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:   CVE-2021-20197
DESCRIPTION:   GNU binutils could allow a local authenticated attacker to bypass security restrictions, caused by an open race window flaw when writing output in the ar, objcopy, strip, ranlib utilities. By using a specially-crafted symlink, an attacker could exploit this vulnerability to allow the utilities to get the ownership of arbitrary files.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198863 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N)

CVEID:   CVE-2021-20284
DESCRIPTION:   GNU Binutils is vulnerable to a denial of service, caused by a heap-based buffer overflow in the _bfd_elf_slurp_secondary_reloc_section function in elf.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198864 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H)