-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1897
Security Bulletin: Multiple vulnerabilities in NTP, OpenSSL, GNU glibc and
               Libreswan affect IBM Netezza Host Management
                               4 August 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Netezza Host Management
Publisher:         IBM
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Unauthorised Access             -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-3071 CVE-2016-2518 CVE-2016-2109
                   CVE-2016-2107 CVE-2016-2106 CVE-2016-2105
                   CVE-2016-1550 CVE-2016-1548 CVE-2016-1547
                   CVE-2015-8158 CVE-2015-8138 CVE-2015-7979
                   CVE-2015-7978 CVE-2015-7977 CVE-2015-7852
                   CVE-2015-7704 CVE-2015-7703 CVE-2015-7702
                   CVE-2015-7701 CVE-2015-7692 CVE-2015-7691
                   CVE-2015-5229 CVE-2015-1799 CVE-2015-1798

Reference:         ASB-2016.0074
                   ASB-2016.0046
                   ESB-2016.1076
                   ESB-2016.0387
                   ESB-2016.0177
                   ESB-2015.2694
                   ESB-2015.0933

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21985978

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in NTP, OpenSSL, GNU glibc and
Libreswan affect IBM Netezza Host Management

Security Bulletin

Document information

More support for:

PureData System for Analytics

Software version:

1.0.0

Operating system(s):

Platform Independent

Software edition:

All Editions

Reference #:

1985978

Modified date:

2016-08-03

Summary

NTP, OpenSSL, GNU glibc and Libreswan are used by IBM Netezza Host
Management. IBM Netezza Host Management has addressed the applicable CVEs

Vulnerability Details

CVEID:

CVE-2015-1799

DESCRIPTION:

Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a
denial of service, caused by an error when using symmetric key
authentication. By sending specially-crafted packets to both peering hosts,
an attacker could exploit this vulnerability to prevent synchronization.

CVSS Base Score: 5.4

CVSS Temporal Score: See

http://xforce.iss.net/xforce/xfdb/102052

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)

CVEID:

CVE-2015-1798

DESCRIPTION:

Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote
attacker to bypass security restrictions, caused by the acceptance of packets
that do not contain a message authentication code (MAC) as valid packets wen
configured for symmetric key authentication. An attacker could exploit this
vulnerability using man-in-the-middle techniques to bypass the authentication
process.

CVSS Base Score: 5.4

CVSS Temporal Score: See

http://xforce.iss.net/xforce/xfdb/102051

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)

CVEID:

CVE-2015-7701

DESCRIPTION:

Network Time Protocol (NTP) could allow a remote attacker to obtain sensitive
information, caused by a memory leak in CRYPTO_ASSOC. An attacker could
exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107444

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:

CVE-2015-7852

DESCRIPTION:

Network Time Protocol (NTP) is vulnerable to a buffer overflow, caused by
improper bounds checking by thecookedprint functionality. By sending an
overly long string, a remote attacker could overflow a buffer and execute
arbitrary code on the system or cause the application to crash.

CVSS Base Score: 7.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107439

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:

CVE-2015-7692

DESCRIPTION:

Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in ntp_crypto.c. An attacker could exploit this vulnerability using
a packet containing an extension field with an invalid value for the length
of its value field to cause ntpd to crash.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107450

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:

CVE-2015-7691

DESCRIPTION:

Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in ntp_crypto.c. An attacker could exploit this vulnerability using
a packet containing an extension field with an invalid value for the length
of its value field to cause ntpd to crash.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107449

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:

CVE-2015-7704

DESCRIPTION:

Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in the rate-limiting mechanism. By sending spoofed Kiss-o'-Death
packets, an attacker could exploit this vulnerability to disable NTP at a
victim client.

CVSS Base Score: 7.5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107446

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:

CVE-2015-7702

DESCRIPTION:

Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in ntp_crypto.c. An attacker could exploit this vulnerability using
a packet containing an extension field with an invalid value for the length
of its value field to cause ntpd to crash.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107451

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:

CVE-2015-7703

DESCRIPTION:

Network Time Protocol (NTP) could allow a remote attacker to traverse
directories on the system, caused by the failure to enforce local access only
of the "pidfile" and "driftfile" configuration directives. An attacker could
exploit this vulnerability to view arbitrary files on the system.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107445

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:

CVE-2015-7977

DESCRIPTION:

NTP is vulnerable to a denial of service, caused by a NULL pointer
dereference. By sending a specially crafted ntpdc reslist command, an
attacker could exploit this vulnerability to cause a segmentation fault.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/110022

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:

CVE-2015-7978

DESCRIPTION:

NTP is vulnerable to a denial of service. By sending a specially crafted
reslist command, an attacker could exploit this vulnerability to consume all
available stack memory.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/110023

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:

CVE-2015-7979

DESCRIPTION:

NTP could allow a remote attacker to bypass security restrictions. By sending
specially crafted broadcast packets with bad authentication, an attacker
could exploit this vulnerability to cause the target broadcast client to tear
down the association with the broadcast server.

CVSS Base Score: 6.5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/110024

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID:

CVE-2015-8138

DESCRIPTION:

NTP could allow a remote attacker to bypass security restrictions. By sending
a specially crafted packet with an origin timestamp of zero, an attacker
could exploit this vulnerability to bypass the timestamp validation check.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/110025

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:

CVE-2015-8158

DESCRIPTION:

NTP is vulnerable to a denial of service, caused by the improper processing
of incoming packets by ntpq. By sending specially crafted data, an attacker
could exploit this vulnerability to cause the application to enter into an
infinite loop.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/110026

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:

CVE-2015-5229

DESCRIPTION:

GNU C Library (glibc) is vulnerable to a denial of service, caused by the
return of memory areas containing non-zero bytes by the calloc
implementation. A remote attacker could exploit this vulnerability to cause
the application to crash or hang.

CVSS Base Score: 3.7

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/110711

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:

CVE-2016-1547

DESCRIPTION:

NTP is vulnerable to a denial of service, caused by the demobilization of a
preemptable client association. By sending specially crafted crypto NAK
packets, an attacker could exploit this vulnerability to cause a denial of
service.

CVSS Base Score: 3.7

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/112739

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:

CVE-2016-1548

DESCRIPTION:

NTP could allow a remote attacker to bypass security restrictions, caused by
an error in the ntpd client. By changing the client from basic client/server
mode to interleaved symmetric mode, an attacker could exploit this
vulnerability to modify the time of the client or cause a denial of service.

CVSS Base Score: 7.2

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/112740

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L)

CVEID:

CVE-2016-1550

DESCRIPTION:

NTP could allow a local attacker to bypass security restrictions, caused by
the failure to use a constant-time memory comparison function when validating
the authentication digest on incoming packets. By sending a specially crafted
packet with an authentication payload, an attacker could exploit this
vulnerability to conduct a timing attack to compute the value of the valid
authentication digest.

CVSS Base Score: 4

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/112742

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:

CVE-2016-2518

DESCRIPTION:

NTP is vulnerable to a denial of service, caused by an error when using a
specially crafted packet to create a peer association with hmode > 7. An
attacker could exploit this vulnerability to cause the MATCH_ASSOC() function
to trigger an out-of-bounds read.

CVSS Base Score: 2

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/112746

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)

CVEID:

CVE-2016-2109

DESCRIPTION:

OpenSSL is vulnerable to a denial of service, caused by a memory allocation
error. By reading specially crafted ASN.1 data from a BIO using functions
such as d2i_CMS_bio(), an attacker could exploit this vulnerability to
consume all available resources and exhaust memory.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/112857

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:

CVE-2016-2107

DESCRIPTION:

OpenSSL could allow a remote attacker to obtain sensitive information, caused
by an error when the connection uses an AES CBC cipher and the server support
AES-NI. A remote user with the ability to conduct a man-in-the-middle attack
could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded
Legacy Encryption) attack to decrypt traffic.

CVSS Base Score: 4.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/112854

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID:

CVE-2016-2105

DESCRIPTION:

OpenSSL is vulnerable to a heap-based buffer overflow, caused by improper
bounds checking by the EVP_EncodeUpdate() function. By sending an overly long
argument, a remote attacker could overflow a buffer and execute arbitrary
code on the system or cause the application to crash.

CVSS Base Score: 5.6

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/112855

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:

CVE-2016-2106

DESCRIPTION:

OpenSSL is vulnerable to a heap-based buffer overflow, caused by improper
bounds checking by the EVP_EncryptUpdate() function. By sending an overly
long argument, a remote attacker could overflow a buffer and execute
arbitrary code on the system or cause the application to crash.

CVSS Base Score: 5.6

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/112856

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:

CVE-2016-3071

DESCRIPTION:

Libreswan is vulnerable to a denial of service, caused by an error in IKEv2
aes_xcbc transform. By sending a specially-crafted IKE packet, a remote
attacker could exploit this vulnerability to cause the IKE daemon to crash
and restart.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/112389

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Netezza Host Management 5.4.5.0 (and prior releases).

Remediation/Fixes

IBM Netezza Host Management 5.4.6.0

3-disk set for IBM Netezza Host Management v5.4.6. The 
nz-hostmgmt-v5.4.6.0.tar.gz file and Disk 1 are the Host Management software 
for IBM PureData System for Analytics N3001, N200x, N100x, and IBM Netezza 
C1000/1000/100. Also included is the Guardium Installation Manager GIM. The 
content of Disk 1 is the same as Host Management 5.4.4. Disk 2 contains 
critical patches as of July 2016 to RHEL 5.x for N100x, and IBM Netezza 
C1000/1000/100 systems. Disk 3 contains critical patches as of July 2016 to 
RHEL 6.x for N200x/N3001 systems.

Red Hat Enterprise Linux (RHEL) Security Patching for IBM PureData System for
Analytics appliances

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

02 August 2016: Original Version Published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV6LfM4x+lLeg9Ub1AQiN6hAAkVKwwoJvUL7y8NfCFV2UM/rEme+4RoBx
jCzHuIkt/LZ6r/1mj3+hSMYR7LrS1xStXXmxLNROm8IG64C/ta1xuZ+hq5hlEkuL
4V3wrgBxmnW3f/b2Hbo6rIQ8s1ZrYU2a1sf2/NH819vkMHv8LTdI249oy9ZlB2Ph
n1KiBuZnc/ZGw9KBOT3lv8BcVceEqKKW0Rsiek52cSNVwnmEhUJeJ7/pV9ui7Cdj
9bs2BdCv/n07J8czqXYHckm1uRQhPUdQxFDDSwQgYly2jj4UA5uKdyFCYgdvHNMO
UDuIcBFvAlE9xRTZwJGCna2+hYKA0W1c9soC1IsuvJnw+7JF08LqJuVfgorhmh6p
8NDSCfIQ4Pbjt3zoe35U6XB3/3ROq3baF9o8kmVE3TH/lgmeC7wX4e2kn+8guGqP
fwWtCSOHMJKU1M6lgLwrT7VaiYFvVQHNp7sM3T0aPKB4hh9JPVUAtTqa4qXCTSSf
gfjdy7RSam6jRMbBu5uDABDoW/2ftpp1iqDCO75WYGaZeWkQNU/+dlE2rVfOcqnV
CJpks/GXyHD98uzSd4IeDreS/OUa8s2xtcxDvErWgc7N6712agbRNi7mcnWbpCvB
+Qx9XDk7Jho5mmmyTOFEfM4vXDZluBfv/ZWv4WdoMCyt+sXAWf1HhH/4RJGj6/rZ
f1IbkXTgVls=
=o76Y
-----END PGP SIGNATURE-----