Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1267
Multiple vulnerabilities have been identified in IBM InfoSphere Streams
19 May 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM InfoSphere Streams
Publisher: IBM
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-2867 CVE-2016-2073 CVE-2016-0466
CVE-2016-0448 CVE-2016-0376 CVE-2016-0363
CVE-2015-8710 CVE-2015-8317 CVE-2015-1819
CVE-2013-5456 CVE-2013-3009
Reference: ASB-2016.0004
ESB-2016.1258
ESB-2016.1241
ESB-2013.1125
ESB-2013.1096
ESB-2013.1077
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21983371
http://www-01.ibm.com/support/docview.wss?uid=swg21983367
http://www-01.ibm.com/support/docview.wss?uid=swg21983436
http://www-01.ibm.com/support/docview.wss?uid=swg21983444
http://www-01.ibm.com/support/docview.wss?uid=swg21983370
http://www-01.ibm.com/support/docview.wss?uid=swg21981066
http://www-01.ibm.com/support/docview.wss?uid=swg21983372
Comment: This bulletin contains seven (7) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere
Streams. (CVE-2015-8710)
Security Bulletin
Document information
More support for:
IBM Streams
Software version:
1.2, 2.0, 3.0, 3.1, 3.2, 3.2.1, 4.0, 4.0.1, 4.1, 4.1.1
Operating system(s):
Linux
Software edition:
All Editions
Reference #:
1983371
Modified date:
2016-05-18
Summary
There is a vulnerability in libxml2 that is used by IBM InfoSphere
Streams. IBM InfoSphere Streams has addressed this vulnerability.
Vulnerability Details
CVE-ID: CVE-2015-8710
Description: Libxml2 is vulnerable to a denial of service, caused by an
out-of-bounds memory access when parsing an unclosed HTML comment. By using
the ""<!--"" HTML comment without close, a remote attacker could exploit this
vulnerability to trigger an out-of-bounds read and cause the system to crash.
CVSS Base Score: 5.300
CVSS Temporal Score:
https://exchange.xforce.ibmcloud.com/vulnerabilities/110076 for more
information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
1.2.1.0
2.0.0.4 and earlier
3.0.0.5 and earlier
3.1.0.7 and earlier
3.2.1.4 and earlier
4.0.1.1 and earlier
4.1.1.0 and earlier
Remediation/Fixes
NOTE: Fix Packs are available on IBM Fix Central.
Version 4.1.1:
Contact technical support.
Version 4.0.1:
Apply 4.0.1 Fix Pack 2 (4.0.1.2) or higher.
Version 3.2.1:
Apply 3.2.1 Fix Pack 5 (3.2.1.5) or higher.
Version 3.1.0:
Apply 3.1 Fix Pack 8 (3.1.0.8) or higher.
Version 3.0.0:
Apply 3.0 Fix Pack 6 (3.0.0.6) or higher.
Versions 1.2 and 2.0
For version 1.x and 2.x IBM recommends upgrading to a fixed, supported
version/release/platform of the product. Customers who cannot upgrade and
need to secure their installation should open a PMR with IBM Technical
Support and request assistance securing their InfoSphere Streams system
against the vulnerabilities identified in this Security Bulletin.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
16 May 2016: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------------
Security Bulletin: IBM InfoSphere Streams update of IBM SDK Java
Technology Edition (CVE-2016-0363, CVE-2016-0376)
Security Bulletin
Document information
More support for:
IBM Streams
Software version:
1.2, 2.0, 3.0, 3.1, 3.2, 3.2.1, 4.0, 4.0.1, 4.1, 4.1.1
Operating system(s):
Linux
Reference #:
1983367
Modified date:
2016-05-18
Summary
There are multiple vulnerabilities in IBM SDK Java Technology Edition,
Version 8 Service Refresh 2 Fix Pack 11 and earlier releases, Version 7R1
Service Refresh 3 Fix Pack 31 and earlier releases, and Version 6 Service
Refresh 16 Fix Pack 21 and earlier releases provided with IBM InfoSphere
streams. These issues were disclosed as part of the IBM Java SDK updates
for April 2016.
IBM InfoSphere Streams is providing an IBM Java SDK update that includes
fixes for security vulnerabilities. If you run Java code using the IBM
Java Runtime delivered with this product, you should evaluate your code
to determine whether these vulnerabilities are applicable to your code.
Vulnerability Details
CVEID: CVE-2016-0363
DESCRIPTION: IBM SDK, Java Technology Edition contains a vulnerability in
the IBM ORB implementation that may allow untrusted code running under
a security manager to elevate its privileges. This vulnerability was
originally reported as CVE-2013-3009.
CVSS Base Score: 8.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112016 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2016-0376
DESCRIPTION: A vulnerability in IBM Java SDK could allow a remote attacker
to execute arbitrary code on the system. This vulnerability allows code
running under a security manager to escalate its privileges by modifying or
removing the security manager. This vulnerability was originally reported
as CVE-2013-5456.
CVSS Base Score: 8.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112152 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
1.2.1.0
2.0.0.4 and earlier
3.0.0.6 and earlier
3.1.0.8 and earlier
3.2.1.4 and earlier
4.0.1.1 and earlier
4.1.1.0 and earlier
Remediation/Fixes
NOTE: Fix Packs are available on IBM Fix Central.
Version 4.1.1:
Contact Technical Support
Version 4.0.1:
Apply 4.0.1 Fix Pack 2 (4.0.1.2) or higher.
Version 3.2.1:
Apply 3.2.1 Fix Pack 5 (3.2.1.5) or higher.
Versions 1.2, 2.0, 3.0, and 3.1:
For version 1.x, 2.x, 3.x IBM recommends upgrading to a fixed, supported
version/release/platform of the product. Customers who cannot upgrade and
need to secure their installation should open a PMR with IBM Technical
Support and request assistance securing their InfoSphere Streams system
against the vulnerabilities identified in this Security Bulletin.
IMPORTANT NOTE: If JAVA_HOME is set ensure it points to the install
location of the upgraded IBM Developer Kit, Java. Applications compiled
with JAVA_HOME set to a different location will need to be recompiled
after JAVA_HOME has been changed. For more information on compiling with
JAVA_HOME set see the Notes section on the page at the following URL:
http://www-01.ibm.com/support/knowledgecenter/SSCRJU_4.0.0/com.ibm.streams.install.doc/doc/ibminfospherestreams-install-prerequisites-java-supported-sdks.html?lang=en
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
16 May 2016: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------------
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM
InfoSphere Streams (CVE-2016-0466, CVE-2016-0448)
Security Bulletin
Document information
More support for:
IBM Streams
Software version:
1.2, 2.0, 3.0, 3.1, 3.2, 3.2.1, 4.0, 4.0.1, 4.1, 4.1.1
Operating system(s):
Linux
Software edition:
All Editions
Reference #:
1983436
Modified date:
2016-05-18
Summary
There are multiple vulnerabilities in IBM SDK Java Technology Edition,
Version 8 Service Refresh 2 Fix Pack 11 and earlier releases, Version 7R1
Service Refresh 3 Fix Pack 31 and earlier releases, and Version 6 Service
Refresh 16 Fix Pack 21 and earlier releases.
If you run your own Java code using the IBM Java Runtime delivered with this
product, you should evaluate your code to determine whether the complete
list of vulnerabilities are applicable to your code. For a complete list of
vulnerabilities please refer to the Reference section for more information.
Vulnerability Details
CVEID: CVE-2016-0466
DESCRIPTION: An unspecified vulnerability in Oracle Java SE Java SE Embedded
and Jrockit related to the JAXP component could allow a remote attacker
to cause a denial of service resulting in a partial availability impact
using unknown attack vectors.
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109948 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2016-0448
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE
Embedded related to the JMX component could allow a remote attacker to
obtain sensitive information resulting in a partial confidentiality impact
using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109949 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Affected Products and Versions
1.2.1.0
2.0.0.4 and earlier
3.0.0.5 and earlier
3.1.0.7 and earlier
3.2.1.4 and earlier
4.0.1.1 and earlier
4.1.1.0 and earlier
Remediation/Fixes
NOTE: Fix Packs are available on IBM Fix Central.
Version 4.1.1:
Contact Technical Support
Version 4.0.1:
Apply 4.0.1 Fix Pack 2 (4.0.1.2) or higher.
Version 3.2.1:
Apply 3.2.1 Fix Pack 5 (3.2.1.5) or higher.
Version 3.1.0:
Apply 3.1 Fix Pack 8 (3.1.0.8) or higher.
Version 3.0.0:
Apply 3.0 Fix Pack 6 (3.0.0.6) or higher.
Versions 1.2 and 2.0:
For version 1.x and 2.x, IBM recommends upgrading to a fixed, supported
version/release/platform of the product. Customers who cannot upgrade and
need to secure their installation should open a PMR with IBM Technical
Support and request assistance securing their InfoSphere Streams system
against the vulnerabilities identified in this Security Bulletin.
IMPORTANT NOTE: If JAVA_HOME is set ensure it points to the install
location of the upgraded IBM Developer Kit, Java. Applications compiled
with JAVA_HOME set to a different location will need to be recompiled
after JAVA_HOME has been changed. For more information on compiling with
JAVA_HOME set see the Notes section on the page at the following URL:
http://www-01.ibm.com/support/knowledgecenter/SSCRJU_4.0.0/com.ibm.streams.install.doc/doc/ibminfospherestreams-install-prerequisites-java-supported-sdks.html?lang=en
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
17 May 2016: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------------
Security Bulletin: A vulnerability in the instance runAsUser function was
found in IBM InfoSphere Streams (CVE-2016-2867)
Security Bulletin
Document information
More support for:
IBM Streams
Software version:
4.0, 4.0.1, 4.1, 4.1.1
Operating system(s):
Linux
Software edition:
All Editions
Reference #:
1983444
Modified date:
2016-05-18
Summary
There is a potential vulnerability in IBM InfoSphere Streams when the
instance runAsUser property is set. IBM InfoSphere Streams has addressed
this vulnerability.
Vulnerability Details
CVEID: CVE-2016-2867
DESCRIPTION: In certain supported configurations of IBM InfoSphere Streams,
setting the instance runAsUser property can result in operator code using
the group id of the root user instead of the group id of the runAsUser
for checking permissions.
CVSS Base Score: 7.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112763 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
4.0.1.1 and earlier
4.1.1.0 and earlier
Remediation/Fixes
NOTE: Fix Packs are available on IBM Fix Central.
Version 4.1.1:
Contact technical support.
Version 4.0.1:
Apply 4.0.1 Fix Pack 2 (4.0.1.2) or higher.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
20 May 2016: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------------
Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere
Streams. (CVE-2015-8317)
Document information
More support for:
IBM Streams
Software version:
1.2, 2.0, 3.0, 3.1, 3.2, 3.2.1, 4.0, 4.0.1, 4.1, 4.1.1
Operating system(s):
Linux
Software edition:
All Editions
Reference #:
1983370
Modified date:
2016-05-18
Security Bulletin
Summary
There is a vulnerability in libxml2 that is used by IBM InfoSphere
Streams. IBM InfoSphere Streams has addressed this vulnerability.
Vulnerability Details
CVE-ID: CVE-2015-8317
Description: libxml2 is vulnerable to a heap-based buffer overflow, caused
by improper bounds checking by the xmlParseXMLDecl function. By using a
malformed XML file, a local attacker could overflow a buffer and execute
arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.900
CVSS Temporal Score:
https://exchange.xforce.ibmcloud.com/vulnerabilities/108316 for more
information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
1.2.1.0
2.0.0.4 and earlier
3.0.0.5 and earlier
3.1.0.7 and earlier
3.2.1.4 and earlier
4.0.1.1 and earlier
4.1.1.0 and earlier
Remediation/Fixes
NOTE: Fix Packs are available on IBM Fix Central.
Version 4.1.1:
Contact technical support.
Version 4.0.1:
Apply 4.0.1 Fix Pack 2 (4.0.1.2) or higher.
Version 3.2.1:
Apply 3.2.1 Fix Pack 5 (3.2.1.5) or higher.
Version 3.1.0:
Apply 3.1 Fix Pack 8 (3.1.0.8) or higher.
Version 3.0.0:
Apply 3.0 Fix Pack 6 (3.0.0.6) or higher.
Versions 1.2 and 2.0:
For version 1.x and 2.x IBM recommends upgrading to a fixed, supported
version/release/platform of the product. Customers who cannot upgrade and
need to secure their installation should open a PMR with IBM Technical
Support and request assistance securing their InfoSphere Streams system
against the vulnerabilities identified in this Security Bulletin.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
16 May 2016: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------------
Security Bulletin: A vulnerability in XML processing affects IBM InfoSphere
Streams (CVE-2015-1819)
Security Bulletin
Document information
More support for:
IBM Streams
Software version:
1.2, 2.0, 3.0, 3.1, 3.2.1, 4.0.1, 4.1.1
Operating system(s):
Linux
Reference #:
1981066
Modified date:
2016-05-18
Summary
IBM InfoSphere Streams may be vulnerable to a denial of service attack
due to the use of Libxml2 (CVE-2015-1819)
Vulnerability Details
CVEID:CVEID: CVE-2015-1819
DESCRIPTION: Libxml is vulnerable to a denial of service, caused by an XML
External Entity Injection (XXE) error in the xmlreader when processing
XML data. A remote attacker could exploit this vulnerability to consume
all available memory resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107272 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
1.2.1.0
2.0.0.4 and earlier
3.0.0.5 and earlier
3.1.0.7 and earlier
3.2.1.4 and earlier
4.0.1.1 and earlier
4.1.1.0 and earlier
Remediation/Fixes
NOTE: Fix Packs are available on IBM Fix Central.
Version 4.1.1:
Contact technical support.
Version 4.0.1:
Apply 4.0.1 Fix Pack 2 (4.0.1.2) or higher.
Version 3.2.1:
Apply 3.2.1 Fix Pack 5 (3.2.1.5) or higher.
Version 3.1.0:
Apply 3.1 Fix Pack 8 (3.1.0.8) or higher.
Version 3.0.0:
Apply 3.0 Fix Pack 6 (3.0.0.6) or higher.
Versions 1.2 and 2.0: For version 1.x and 2.x IBM recommends upgrading
to a fixed, supported version/release/platform of the product. Customers
who cannot upgrade and need to secure their installation should open
a PMR with IBM Technical Support and request assistance securing their
InfoSphere Streams system against the vulnerabilities identified in this
Security Bulletin.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
16 May 2016 Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------------
Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere
Streams. (CVE-2016-2073)
Security Bulletin
Document information
More support for:
IBM Streams
Software version:
1.2, 2.0, 3.0, 3.1, 3.2, 3.2.1, 4.0, 4.0.1, 4.1, 4.1.1
Operating system(s):
Linux
Software edition:
All Editions
Reference #:
1983372
Modified date:
2016-05-18
Summary
There is a vulnerability in libxml2 that is used by IBM InfoSphere
Streams. IBM InfoSphere Streams has addressed this vulnerability.
Vulnerability Details
CVE-ID: CVE-2016-2073
Description: libxml2 is vulnerable to a heap-based buffer overflow,
caused by an out-of-bounds read in the htmlParseNameComplex() function. By
persuading a victim to open a specially crafted XML file, a remote attacker
could overflow a buffer and execute arbitrary code on the system or cause
the application to crash.
CVSS Base Score: 6.300
CVSS Temporal Score:
https://exchange.xforce.ibmcloud.com/vulnerabilities/110307 for more
information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
Affected Products and Versions
1.2.1.0
2.0.0.4 and earlier
3.0.0.5 and earlier
3.1.0.7 and earlier
3.2.1.4 and earlier
4.0.1.1 and earlier
4.1.1.0 and earlier
Remediation/Fixes
NOTE: Fix Packs are available on IBM Fix Central.
Version 4.1.1:
Contact technical support.
Version 4.0.1:
Apply 4.0.1 Fix Pack 2 (4.0.1.2) or higher.
Version 3.2.1:
Apply 3.2.1 Fix Pack 5 (3.2.1.5) or higher.
Version 3.1.0:
Apply 3.1 Fix Pack 8 (3.1.0.8) or higher.
Version 3.0.0:
Apply 3.0 Fix Pack 6 (3.0.0.6) or higher.
Versions 1.2 and 2.0
For version 1.x and 2.x IBM recommends upgrading to a fixed, supported
version/release/platform of the product. Customers who cannot upgrade and
need to secure their installation should open a PMR with IBM Technical
Support and request assistance securing their InfoSphere Streams system
against the vulnerabilities identified in this Security Bulletin.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
16 May 2016: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVz0+X36ZAP0PgtI9AQKs4g/8DlpXFI00V5o5g4qo5cbPUqM50m12fShW
DAgMrM5L7wXsXYVhLNom5l46mR0sPThoEHUAey7w8+FwYkECLTUxqbfzF9Et2Xz+
Ml5Q0dSvCUnRsJP19b0EH/tIwP+JD0sXhY4ZPO4Gi5oUcbOWrbd/m0D7PpiwKcPH
wbyiS5GYtHPFWCOdmeat1eKaEAVN1zf2LH+qeoeQ60K45Nbbx9M/pZT3f8EVCUlm
gtPFc7Z0HQ6O75Pxek3zicP50exjgN92uEzxUVHnLzaYleP89RvNhPCQdD/PN+S1
adm2F6dUBU3I+1CsZMcwdVFtovJm2dMf/5EuSO1AOEZRz8wzA/pjTfe36z3Vr3CG
I+XnEkjRXkp83gdW/JR11JG80aTRbuGU1nk5RpOdT219nBpUj/wL5o9i8nojbAMP
LF6l7pr7xHzooENNtPcnoG0n244+hANgDzeBO4lSX8CmXq1UkwbJ90vkbUjNSKFE
RDu6Eipu4R0uZdtcppA8xd9B2OCkmwu7sS+vU27AlE1Oe6PTO3zfK82Eb3LJOKXc
8pmiBfbylB5v1meSRnovLihUbwAQxjKCu1Hs+TCu3BQTkrBC7Vjh85ijdNSfDwZs
dVIAXC8i7TyXzIASV3u6YqmHxgWfQyNLNvNGWo1oKISYirGl1VOSn/Qg2lLnhCX3
XvzBTrsmfsA=
=/Cvy
-----END PGP SIGNATURE-----