Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.0382
Security Bulletin: Multiple vulnerabilities in Open Source Binutils and
Open Source OpenSSL affect IBM Netezza Analytics
8 February 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Netezza Analytics
Publisher: IBM
Operating System: Network Appliance
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-12459 CVE-2017-12458 CVE-2017-12457
CVE-2017-12456 CVE-2017-12455 CVE-2017-12454
CVE-2017-12453 CVE-2017-12452 CVE-2017-12451
CVE-2017-12450 CVE-2017-12449 CVE-2017-12448
CVE-2017-9954 CVE-2017-9754 CVE-2017-9749
CVE-2017-9748 CVE-2017-9747 CVE-2017-9746
CVE-2017-9744 CVE-2017-9044 CVE-2017-9043
CVE-2017-9042 CVE-2017-9040 CVE-2017-8421
CVE-2017-8398 CVE-2017-8396 CVE-2017-8394
CVE-2017-8393 CVE-2017-7302 CVE-2017-7227
CVE-2017-7226 CVE-2017-7225 CVE-2017-7224
CVE-2017-7223 CVE-2017-7210 CVE-2017-3736
CVE-2017-3735 CVE-2014-9939
Reference: ASB-2018.0033
ASB-2018.0026
ASB-2018.0017
ASB-2018.0013
ESB-2017.2822
ESB-2017.1838
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg22012605
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in Open Source Binutils and Open
Source OpenSSL affect IBM Netezza Analytics
Document information
More support for: PureData System for Analytics
IBM Netezza Analytics
Software version: 1.0.0
Operating system(s): Platform Independent
Software edition: All Editions
Reference #: 2012605
Modified date: 07 February 2018
Summary
Open Source Binutils and OpenSSL is used by IBM Netezza Analytics. IBM Netezza
Analytics has addressed the applicable CVEs
Vulnerability Details
CVEID: CVE-2014-9939
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
stack-based buffer overflow in ihex.c. By using a specially-crafted ihex
file, a remote attacker could exploit this vulnerability to cause the
application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/127317 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-8394 DESCRIPTION: GNU Binutils is vulnerable to a denial of
service, caused by a NULL pointer dereference in _bfd_elf_large_com_section in
libbfd. By persuading a victim to open a specially-crafted file, a remote
attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/125529 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-8393
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
global buffer over-read error in SHT_REL/SHR_RELA sections in libbfd. By
persuading a victim to open a specially-crafted file, a remote attacker
could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/125528 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-7302
DESCRIPTION: Libbfd library for GNU Binutils is vulnerable to a denial of
service, caused by an invalid read flaw in the swap_std_reloc_out function
in bfd/aoutx.h. By using a specially-crafted binary, a remote attacker could
exploit this vulnerability to cause Binutils utilities like strip to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/124108 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-7227
DESCRIPTION: GNU Binutils is vulnerable to multiple heap-based buffer
overflows, caused by improper bounds checking by GNU linker (ld). By using a
specially-crafted input script, an attacker could overflow a buffer and
cause the program to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/123655 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-7224
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
flaw in the find_nearest_line function in objdump. By using a
specially-crafted binary, an attacker could exploit this vulnerability to
cause the program to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/123652 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-7223
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
global buffer overflow in the GNU assembler. By using EOF characters, an
attacker could exploit this vulnerability to cause the program to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/123651 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-7210
DESCRIPTION: GNU Binutilsis vulnerable to multiple heap-based buffer
overflows, caused by improper bounds checking by objdump. By using a
specially-crafted object file, an attacker could overflow a buffer and cause
the program to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/123537 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2017-7226
DESCRIPTION: GNU Binutils is vulnerable to multiple heap-based buffer
overflows, caused by improper bounds checking by pe_ILF_object_p function in
the Binary File Descriptor (BFD) library. By using a specially-crafted file,
an attacker could overflow a buffer and cause the program to crash and
potentially obtain sensitive information.
CVSS Base Score: 6.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/123654 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)
CVEID: CVE-2017-7225
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
NULL pointer dereference in the find_nearest_line function in addr2line. By
using a specially-crafted binary, an attacker could exploit this
vulnerability to cause the program to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/123653 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-9044
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
flaw in the print_symbol_for_build_attribute function in readelf.c. By using
a specially-crafted ELF file, a remote attacker could exploit this
vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/126188 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-9043
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
flaw in the readelf.c. By using a specially-crafted ELF file, a remote
attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/126189 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-9042
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
flaw in the readelf.c. By using a specially-crafted ELF file, a remote
attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/126190 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-9040
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
NULL pointer dereference in the process_mips_specific function in readelf.c.
By using a specially-crafted ELF file, a remote attacker could exploit this
vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/126192 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-8421
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
memory leak in the coff_set_alignment_hook function in coffcode.h. By
persuading a victim to open a specially-crafted PE file, a remote attacker
could exploit this vulnerability to cause memory exhaustion in objdump.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/125745 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-8398
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
invalid read of size 1 error in dwarf.c. By persuading a victim to open a
specially-crafted file, a remote attacker could exploit this vulnerability
to cause the application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/125533 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-8396
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
invalid read of size 1 error in libbfd. By persuading a victim to open a
specially-crafted file, a remote attacker could exploit this vulnerability
to cause the application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/125531 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-9954
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
improper bounds checking by the getvalue function in tekhex.c in the Binary
File Descriptor (BFD) library. By persuading a victim to open a
specially-rafted tekhex file, a remote attacker could overflow a buffer and
cause the program to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/127718 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-9754
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
improper bounds checking by the process_otr function in bfd/versados.c in
the Binary File Descriptor (BFD) library. By persuading a victim to open a
specially-crafted binary file, a remote attacker could overflow a buffer and
cause the program to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/127553 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-9749
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
improper bounds checking by the regs macros in opcodes/bfin-dis.c. By
persuading a victim to open a specially-crafted binary file, a remote
attacker could overflow a buffer and cause the program to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/127548 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-9746
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
improper bounds checking by the disassemble_bytes function in objdump.c. By
persuading a victim to open a specially-crafted binary file, a remote
attacker could overflow a buffer and cause the program to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/127542 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-9744
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
improper bounds checking by the sh_elf_set_mach_from_flags function in
bfd/elf32-sh.c in the Binary File Descriptor (BFD) library. By persuading a
victim to open a specially-crafted binary file, a remote attacker could
overflow a buffer and cause the program to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/127541 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-9748
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
improper bounds checking by the ieee_object_p function in bfd/ieee.c in the
Binary File Descriptor (BFD) library. By persuading a victim to open a
specially-crafted binary file, a remote attacker could overflow a buffer and
cause the program to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/127547 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-9747
DESCRIPTION: GNU Binutils is vulnerable to denial of service, caused by
improper bounds checking by the ieee_archive_p function in bfd/ieee.c in the
Binary File Descriptor (BFD) library. By persuading a victim to open a
specially-crafted binary file, a remote attacker could overflow a buffer and
cause the program to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/127546 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-12452
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
out of bounds heap read in bfd_mach_o_i386_canonicalize_one_reloc function
in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library. By using a
specially-crafted mach-o file, a remote attacker could exploit this
vulnerability to cause the application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130140 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-12451
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
out of bounds stack read in _bfd_xcoff_read_ar_hdr function in
bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor
(BFD) library. By using a specially-crafted COFF image file, a remote
attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130145 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-12450
DESCRIPTION: GNU Binutils could allow a remote attacker to execute arbitrary
code on the system, caused by an out of bounds heap write in
alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File Descriptor
(BFD) library. By using a specially-crafted mach-o file, an attacker could
exploit this vulnerability to possibly execute arbitrary code.
CVSS Base Score: 7.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130136 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-12449
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
out of bounds heap read in _bfd_vms_save_sized_string function in vms-misc.c
in the Binary File Descriptor (BFD) library. By using a specially-crafted
vms file, a remote attacker could exploit this vulnerability to cause the
application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130137 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-12459
DESCRIPTION: GNU Binutils could allow a remote attacker to execute arbitrary
code on the system, caused by an out of bounds heap write
bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary File
Descriptor (BFD) library. By using a specially-crafted mach-o file, an
attacker could exploit this vulnerability to possibly execute arbitrary
code.
CVSS Base Score: 7.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130135 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-12458
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
out of bounds heap read in nlm_swap_auxiliary_headers_in function in
bfd/nlmcode.h in the Binary File Descriptor (BFD) library. By using a
specially-crafted nlm file, a remote attacker could exploit this
vulnerability to cause the application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130139 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-12457
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
NULL dereference in bfd_make_section_with_flags function in section.c in the
Binary File Descriptor (BFD) library. By using a specially-crafted file, a
remote attacker could exploit this vulnerability to cause the application to
crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130143 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-12456
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
out of bounds heap read in read_symbol_stabs_debugging_info function in
rddbg.c. By using a specially-crafted binary file, a remote attacker could
exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130142 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-12455
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
out of bounds heap read in evax_bfd_print_emh function in vms-alpha.c in the
Binary File Descriptor (BFD) library. By using a specially-crafted vms alpha
file, a remote attacker could exploit this vulnerability to cause the
application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130138 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-12454
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
arbitrary memory read in _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in
the Binary File Descriptor (BFD) library. By using a specially-crafted
binary file, a remote attacker could exploit this vulnerability to cause the
application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130144 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-12453
DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
out of bounds heap read in _bfd_vms_slurp_eeom function in libbfd.c in the
Binary File Descriptor (BFD) library. By using a specially-crafted vms alpha
file, a remote attacker could exploit this vulnerability to cause the
application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130141 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-12448
DESCRIPTION: GNU Binutils could allow a remote attacker to execute arbitrary
code on the system, caused by a heap use after free in bfd_cache_close
function in bfd/cache.c in the Binary File Descriptor (BFD) library. By
using a specially-crafted nested archive file, an attacker could exploit
this vulnerability to possibly execute arbitrary code.
CVSS Base Score: 7.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/130146 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-3736
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by a carry propagation flaw in the the x86_64 Montgomery
squaring function bn_sqrx8x_internal(). An attacker with online access to an
unpatched system could exploit this vulnerability to obtain information
about the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-3735
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by an error while parsing an IPAdressFamily extension in
an X.509 certificate. An attacker could exploit this vulnerability to
trigger an out-of-bounds read, resulting in an incorrect text display of the
certificate.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/131047 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Affected Products and Versions
IBM Netezza Analytics 1.2.4,2.0-2.3,3.0-3.0.2,3.2-3.2.5,3.3
Remediation/Fixes
+----------------------+---------+---------------------------------------+
|Product |VRMF |Remediation/First Fix |
+----------------------+---------+---------------------------------------+
|IBM Netezza Analytics |3.2.6 | 3.2.6.0-IM-Netezza-ANALYTICS-fp119342 |
+----------------------+---------+---------------------------------------+
|IBM Netezza Analytics |3.3.1 | 3.3.1.0-IM-Netezza-ANALYTICS-fp119728 |
+----------------------+---------+---------------------------------------+
Workarounds and Mitigations
None
Change History
7 Feb 2018 : Original version published
*The CVSS Environment Score is customer environment specific and will ultimately
impact the Overall CVSS Score. Customers can evaluate the impact of this
vulnerability in their environments by accessing the links in the Reference
section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWnuveox+lLeg9Ub1AQgoWg//QaK4456H/Ycazjb2f4h0dKN9ou0YowUa
jiW4NDA/kkswX6zq9wpDYOdVtIZNOBTWvNCzntjj/E/2F231N6ZH4BEy5hKqr9U3
NT5rvPNweOcxNOUkJ1zu3RH7sg9jWUoMIiZxjraVy82D4LrOwF3y5ITLGcFqsZxH
1IqekhSPT5PlikdD3q+6H9sOtQKF0zst2a6xoUQWUJ5FuLOwtxDf8/bZk4yj98z7
fgMB4q3AGUmFOzbEbvfgyU8spbHdwcyEvAAxGwo4UYgS4Q02CBKF6cXLxmx04btn
DzPcyto+7rZvqj+PSSc0QNvn5oq2s0SaejLwMPXEDRdM2zf16CYANQolmSCf76Ur
7BbOXEd+rLf/3Ohp1AMWHAkIIFfXyV6ADVdhi0DONq8lqMHgZ+enzN+sqYKRU7jO
t0WipsfAhZV99aWJwITGWpkir8qiiZMxKNR+pu2S5AW+Oq5tssV6906Icfov15n7
3b1Ea6wYkfneXP9prQzeBdOuQJQl+Uca1vRI52R9OuoQZlAhObsF0W5s/4+0fYJR
KdDgtHpb/ukScn+2mG0AbN91ApgiyPdGZn4fz9cpNMkSkrBLDOesvYNz7pAvzoWD
pZWUyY7WUfCjkTP/ZB/afKy8WqDIXH61uli8HRxJC0KLdnj53rQjX73Ebtj0Ah3N
uJaZV5B3vPg=
=i1hx
-----END PGP SIGNATURE-----