Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0382 Security Bulletin: Multiple vulnerabilities in Open Source Binutils and Open Source OpenSSL affect IBM Netezza Analytics 8 February 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Netezza Analytics Publisher: IBM Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-12459 CVE-2017-12458 CVE-2017-12457 CVE-2017-12456 CVE-2017-12455 CVE-2017-12454 CVE-2017-12453 CVE-2017-12452 CVE-2017-12451 CVE-2017-12450 CVE-2017-12449 CVE-2017-12448 CVE-2017-9954 CVE-2017-9754 CVE-2017-9749 CVE-2017-9748 CVE-2017-9747 CVE-2017-9746 CVE-2017-9744 CVE-2017-9044 CVE-2017-9043 CVE-2017-9042 CVE-2017-9040 CVE-2017-8421 CVE-2017-8398 CVE-2017-8396 CVE-2017-8394 CVE-2017-8393 CVE-2017-7302 CVE-2017-7227 CVE-2017-7226 CVE-2017-7225 CVE-2017-7224 CVE-2017-7223 CVE-2017-7210 CVE-2017-3736 CVE-2017-3735 CVE-2014-9939 Reference: ASB-2018.0033 ASB-2018.0026 ASB-2018.0017 ASB-2018.0013 ESB-2017.2822 ESB-2017.1838 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22012605 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple vulnerabilities in Open Source Binutils and Open Source OpenSSL affect IBM Netezza Analytics Document information More support for: PureData System for Analytics IBM Netezza Analytics Software version: 1.0.0 Operating system(s): Platform Independent Software edition: All Editions Reference #: 2012605 Modified date: 07 February 2018 Summary Open Source Binutils and OpenSSL is used by IBM Netezza Analytics. IBM Netezza Analytics has addressed the applicable CVEs Vulnerability Details CVEID: CVE-2014-9939 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a stack-based buffer overflow in ihex.c. By using a specially-crafted ihex file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127317 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-8394 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a NULL pointer dereference in _bfd_elf_large_com_section in libbfd. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125529 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-8393 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a global buffer over-read error in SHT_REL/SHR_RELA sections in libbfd. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125528 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-7302 DESCRIPTION: Libbfd library for GNU Binutils is vulnerable to a denial of service, caused by an invalid read flaw in the swap_std_reloc_out function in bfd/aoutx.h. By using a specially-crafted binary, a remote attacker could exploit this vulnerability to cause Binutils utilities like strip to crash. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124108 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-7227 DESCRIPTION: GNU Binutils is vulnerable to multiple heap-based buffer overflows, caused by improper bounds checking by GNU linker (ld). By using a specially-crafted input script, an attacker could overflow a buffer and cause the program to crash. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123655 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-7224 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a flaw in the find_nearest_line function in objdump. By using a specially-crafted binary, an attacker could exploit this vulnerability to cause the program to crash. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123652 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-7223 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a global buffer overflow in the GNU assembler. By using EOF characters, an attacker could exploit this vulnerability to cause the program to crash. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123651 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-7210 DESCRIPTION: GNU Binutilsis vulnerable to multiple heap-based buffer overflows, caused by improper bounds checking by objdump. By using a specially-crafted object file, an attacker could overflow a buffer and cause the program to crash. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123537 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2017-7226 DESCRIPTION: GNU Binutils is vulnerable to multiple heap-based buffer overflows, caused by improper bounds checking by pe_ILF_object_p function in the Binary File Descriptor (BFD) library. By using a specially-crafted file, an attacker could overflow a buffer and cause the program to crash and potentially obtain sensitive information. CVSS Base Score: 6.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123654 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) CVEID: CVE-2017-7225 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a NULL pointer dereference in the find_nearest_line function in addr2line. By using a specially-crafted binary, an attacker could exploit this vulnerability to cause the program to crash. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123653 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-9044 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a flaw in the print_symbol_for_build_attribute function in readelf.c. By using a specially-crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126188 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2017-9043 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a flaw in the readelf.c. By using a specially-crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126189 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2017-9042 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a flaw in the readelf.c. By using a specially-crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126190 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2017-9040 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a NULL pointer dereference in the process_mips_specific function in readelf.c. By using a specially-crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126192 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2017-8421 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a memory leak in the coff_set_alignment_hook function in coffcode.h. By persuading a victim to open a specially-crafted PE file, a remote attacker could exploit this vulnerability to cause memory exhaustion in objdump. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125745 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-8398 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an invalid read of size 1 error in dwarf.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125533 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-8396 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an invalid read of size 1 error in libbfd. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125531 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-9954 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by improper bounds checking by the getvalue function in tekhex.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-rafted tekhex file, a remote attacker could overflow a buffer and cause the program to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127718 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-9754 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by improper bounds checking by the process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted binary file, a remote attacker could overflow a buffer and cause the program to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127553 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-9749 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by improper bounds checking by the regs macros in opcodes/bfin-dis.c. By persuading a victim to open a specially-crafted binary file, a remote attacker could overflow a buffer and cause the program to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127548 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-9746 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by improper bounds checking by the disassemble_bytes function in objdump.c. By persuading a victim to open a specially-crafted binary file, a remote attacker could overflow a buffer and cause the program to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127542 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-9744 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by improper bounds checking by the sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted binary file, a remote attacker could overflow a buffer and cause the program to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127541 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-9748 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by improper bounds checking by the ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted binary file, a remote attacker could overflow a buffer and cause the program to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127547 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-9747 DESCRIPTION: GNU Binutils is vulnerable to denial of service, caused by improper bounds checking by the ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted binary file, a remote attacker could overflow a buffer and cause the program to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127546 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-12452 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an out of bounds heap read in bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library. By using a specially-crafted mach-o file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130140 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-12451 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an out of bounds stack read in _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library. By using a specially-crafted COFF image file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130145 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-12450 DESCRIPTION: GNU Binutils could allow a remote attacker to execute arbitrary code on the system, caused by an out of bounds heap write in alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library. By using a specially-crafted mach-o file, an attacker could exploit this vulnerability to possibly execute arbitrary code. CVSS Base Score: 7.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130136 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2017-12449 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an out of bounds heap read in _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library. By using a specially-crafted vms file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130137 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-12459 DESCRIPTION: GNU Binutils could allow a remote attacker to execute arbitrary code on the system, caused by an out of bounds heap write bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary File Descriptor (BFD) library. By using a specially-crafted mach-o file, an attacker could exploit this vulnerability to possibly execute arbitrary code. CVSS Base Score: 7.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130135 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2017-12458 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an out of bounds heap read in nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library. By using a specially-crafted nlm file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130139 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-12457 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a NULL dereference in bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130143 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-12456 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an out of bounds heap read in read_symbol_stabs_debugging_info function in rddbg.c. By using a specially-crafted binary file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130142 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-12455 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an out of bounds heap read in evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library. By using a specially-crafted vms alpha file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130138 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-12454 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an arbitrary memory read in _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library. By using a specially-crafted binary file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130144 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-12453 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an out of bounds heap read in _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library. By using a specially-crafted vms alpha file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130141 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-12448 DESCRIPTION: GNU Binutils could allow a remote attacker to execute arbitrary code on the system, caused by a heap use after free in bfd_cache_close function in bfd/cache.c in the Binary File Descriptor (BFD) library. By using a specially-crafted nested archive file, an attacker could exploit this vulnerability to possibly execute arbitrary code. CVSS Base Score: 7.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130146 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2017-3736 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2017-3735 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131047 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Affected Products and Versions IBM Netezza Analytics 1.2.4,2.0-2.3,3.0-3.0.2,3.2-3.2.5,3.3 Remediation/Fixes +----------------------+---------+---------------------------------------+ |Product |VRMF |Remediation/First Fix | +----------------------+---------+---------------------------------------+ |IBM Netezza Analytics |3.2.6 | 3.2.6.0-IM-Netezza-ANALYTICS-fp119342 | +----------------------+---------+---------------------------------------+ |IBM Netezza Analytics |3.3.1 | 3.3.1.0-IM-Netezza-ANALYTICS-fp119728 | +----------------------+---------+---------------------------------------+ Workarounds and Mitigations None Change History 7 Feb 2018 : Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWnuveox+lLeg9Ub1AQgoWg//QaK4456H/Ycazjb2f4h0dKN9ou0YowUa jiW4NDA/kkswX6zq9wpDYOdVtIZNOBTWvNCzntjj/E/2F231N6ZH4BEy5hKqr9U3 NT5rvPNweOcxNOUkJ1zu3RH7sg9jWUoMIiZxjraVy82D4LrOwF3y5ITLGcFqsZxH 1IqekhSPT5PlikdD3q+6H9sOtQKF0zst2a6xoUQWUJ5FuLOwtxDf8/bZk4yj98z7 fgMB4q3AGUmFOzbEbvfgyU8spbHdwcyEvAAxGwo4UYgS4Q02CBKF6cXLxmx04btn DzPcyto+7rZvqj+PSSc0QNvn5oq2s0SaejLwMPXEDRdM2zf16CYANQolmSCf76Ur 7BbOXEd+rLf/3Ohp1AMWHAkIIFfXyV6ADVdhi0DONq8lqMHgZ+enzN+sqYKRU7jO t0WipsfAhZV99aWJwITGWpkir8qiiZMxKNR+pu2S5AW+Oq5tssV6906Icfov15n7 3b1Ea6wYkfneXP9prQzeBdOuQJQl+Uca1vRI52R9OuoQZlAhObsF0W5s/4+0fYJR KdDgtHpb/ukScn+2mG0AbN91ApgiyPdGZn4fz9cpNMkSkrBLDOesvYNz7pAvzoWD pZWUyY7WUfCjkTP/ZB/afKy8WqDIXH61uli8HRxJC0KLdnj53rQjX73Ebtj0Ah3N uJaZV5B3vPg= =i1hx -----END PGP SIGNATURE-----