SB2017050835 - Multiple vulnerabilities in IBM Integrated Management Module (IMM) for System x & BladeCenter

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Uncontrolled Recursion (CVE-ID: CVE-2016-3627)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability occurs when xmlStringGetNodeList function in tree.c in libxml2 used in recovery mode. A remote attacker can cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.

2) Heap-based buffer overflow (CVE-ID: CVE-2015-8806)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a boundary error. A remote attacker can cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the " substring in a crafted HTML document.

3) Buffer overflow (CVE-ID: CVE-2016-4447)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists in xmlParseElementDecl function in parser.c in libxml2. A remote attacker can cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName.

4) XXE attack (CVE-ID: CVE-2016-4449)

The vulnerability allows a remote attacker to conduct XXE attack.

The weakness exists in libxml2 due to XML external entity (XXE) error when processing XML data by the XML parser. A remote attacker can send manipulated XML content, trick the victim into opening and read important data on the system.

Successful exploitation of the vulnerability may result in information disclosure.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/868736