IBM Support

Security Bulletin: Open Source Apache Xerces-C XML parser Vulnerabilities -- including XML4C (CVE-2016-0729)

Security Bulletin


Summary

The vulnerabilities have been addressed in the Open Source Apache Xerces-C XML parser for IBM Data Server Driver packages(DB2 Connect Instance less clients).

Vulnerability Details

CVEID: CVE-2016-0729
DESCRIPTION: Apache Xerces-C XML Parser library is vulnerable to a denial of service, caused by improper bounds checking during processing and error reporting. By sending specially crafted input documents, an attacker could exploit this vulnerability to cause the library to crash or possibly execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111028 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

The V9.7, V10.1, V10.5, V11.1 versions of IBM Data Server Driver packages(DB2 Connect Instance less clients) are as follows:
IBM Data Server Driver Package
IBM Data Server Driver for ODBC and CLI

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this vulnerability.

FIX:

The fix for driver package release V10.5 is in V10.5 FP8, available for download from Fix Central.
Customers running any vulnerable fixpack level of an affected Program, V9.7, V10.1 and V11.1 can download the special build containing the fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.7 FP11, DB2 V10.1 FP5 and DB2 V11.1 GA. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Refer to the following chart to determine how to proceed to obtain a needed fixpack or special build.

ReleaseDownload URL
9.7Special Build for V9.7 FP11

IBM Data Server Driver Package
HP-UX 64-bit
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-bit
Windows x86-32
Windows 64-bit, x86

IBM Data Server Driver for ODBC and CLI
HP-UX 64-bit
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-bit
Windows x86-32
Windows 64-bit, x86

IBM Data Server Driver for ODBC and CLI (32-bit)
Solaris 64-bit, SPARC
Solaris 64-bit, x86
AIX 64-bit
Linux 64-bit, pSeries
Linux 64-bit, zSeries
HP-UX 64-bit
10.1Special Build for V10.1 FP5

IBM Data Server Driver Package
HP-UX 64-bit
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
Windows 32-bit, x86
Windows 64-bit, x86

IBM Data Server Driver for ODBC and CLI
HP-UX 64-bit
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
Windows 32-bit, x86
Windows 64-bit, x86

IBM Data Server Driver for ODBC and CLI (32-bit)
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
HP-UX 64-bit
10.510.5 FP8 Fixpack
http://www.ibm.com/support/docview.wss?uid=swg24042680
11.1Special Build for V11.1 GA

IBM Data Server Driver Package
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
Windows 32-bit, x86
Windows 64-bit, x86

IBM Data Server Driver for ODBC and CLI
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
Windows 32-bit, x86
Windows 64-bit, x86

IBM Data Server Driver for ODBC and CLI (32-bit)
Linux 64-bit, zSeries
AIX 64-Bit

For platforms not listed above, contact Technical Support

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

10/14/2016 -- Initial Security Bulletin 

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSSNY3","label":"IBM Data Server Client Packages"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.7;10.5;10.1;11.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

More support for:
IBM Data Server Client Packages

Software version:
9.7, 10.5, 10.1, 11.1

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows

Document number:
548067

Modified date:
16 June 2018

UID

swg21987901

Manage My Notification Subscriptions

Page Feedback