SB2017090107 - Multiple vulnerabilities in IBM AIX

Main Vulnerability Database SB2017090107

SB2017090107 - Multiple vulnerabilities in IBM AIX

Published: September 1, 2017 Updated: September 5, 2017

Security Bulletin ID SB2017090107

Severity

High

Patch available

YES

Number of vulnerabilities 20

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 20 secuirty vulnerabilities.

1) Privilege escalation (CVE-ID: CVE-2017-1376)

The vulnerability allows a remote attacker to gain elevated privileges.

The weakness exists due to a flaw in the IBM J9 VM class verifier. A remote attacker can supply a specially crafted untrusted code to disable the security manager and escalate his privileges on the system.

2) Security restrictions bypass (CVE-ID: CVE-2017-1541)

The vulnerability allows a remote attacker to bypass security restrictions.

The weakness exists due to a flaw in the AIX JRE/SDK installp and updatep packages. A remote attacker can supply specially crafted packages and prevent the java.security, java.policy and javaws.policy files from being updated correctly.

3) Denial of service (CVE-ID: CVE-2017-10053)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unknown error. A remote attacker can cause the application to crash.

4) Privilege escalation (CVE-ID: CVE-2017-10067)

The vulnerability allows a remote authenticated attacker to gain elevated privileges.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website and gain privileged access to the system.

5) Security restrictions bypass (CVE-ID: CVE-2017-10078)

The vulnerability allows a remote attacker to bypass security restrictions.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, bypass security restrictions and disclose and modify important data on the system.

6) Remote code execution (CVE-ID: CVE-2017-10087)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

7) Remote code execution (CVE-ID: CVE-2017-10089)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

8) Remote code execution (CVE-ID: CVE-2017-10090)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

9) Remote code execution (CVE-ID: CVE-2017-10096)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

10) Remote code execution (CVE-ID: CVE-2017-10101)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

11) Remote code execution (CVE-ID: CVE-2017-10102)

The vulnerability allows a remote authenticated attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

12) Security restrictions bypass (CVE-ID: CVE-2017-10105)

The vulnerability allows a remote attacker to bypass security restrictions.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, bypass security restrictions and modify arbitrary data on the system.

13) Remote code execution (CVE-ID: CVE-2017-10107)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

14) Denial of service (CVE-ID: CVE-2017-10108)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unknown error. A remote attacker can cause the application to crash.

15) Denial of service (CVE-ID: CVE-2017-10109)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unknown error. A remote attacker can cause the application to crash.

16) Remote code execution (CVE-ID: CVE-2017-10110)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take control over the affected system.

17) Information disclosure (CVE-ID: CVE-2017-10115)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to unknown error. A remote attacker can disclose important data on the target system

18) Remote code execution (CVE-ID: CVE-2017-10116)

The vulnerability allows a remote authenticated attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

19) Arbitrary code execution (CVE-ID: CVE-2017-10125)

The vulnerability allows an attacker with physical access to the system to execute arbitrary code on the target system.

The weakness exists due to unknown error. A remote attacker can execute arbitrary code with elevated privileges and compromise the vulnerable system.

20) Information disclosure (CVE-ID: CVE-2017-10243)

The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.

The weakness exists due to unknown error. A remote attacker can disclose arbitrary files or cause the application to crash.

Remediation

Install update from vendor's website.

References

http://aix.software.ibm.com/aix/efixes/security/java_july2017_advisory.asc