Multiple vulnerabilities in IBM Planning Analytics

1) Remote code execution

EUVDB-ID: #VU6669

Risk: High

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-3511

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to unknown error related to the Java SE, Java SE Embedded, JRockit JCE component. A remote attacker can trick the victim into visiting a specially crafted webpage and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 2.0.4.

Vulnerable software versions

Planning Analytics Local: 2.0.3

CPE2.3

• cpe:2.3:a:ibm_corporation:planning_analytics_local:2.0.3:*:*:*:*:*:*:*

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22007463&myns=swgimgmt&mynp=OCSSD29G&mync=E&cm_sp=swgimgmt-_-OCSSD29G-_-E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security restrictions bypass

EUVDB-ID: #VU6671

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-3539

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to modify information on the target system.

The weakness exists due to unknown error related to the Java SE, Java SE Embedded Security component. A remote attacker can trick the victim into visiting a specially crafted webpage, access and modify arbitrary data.

Mitigation

Update to version 2.0.4.

Vulnerable software versions

Planning Analytics Local: 2.0.3

CPE2.3

• cpe:2.3:a:ibm_corporation:planning_analytics_local:2.0.3:*:*:*:*:*:*:*

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22007463&myns=swgimgmt&mynp=OCSSD29G&mync=E&cm_sp=swgimgmt-_-OCSSD29G-_-E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Denial of service

EUVDB-ID: #VU6663

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-9840

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in zlib due to out-of-bounds pointer arithmetic in inftrees.c. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Update to version 2.0.4.

Vulnerable software versions

Planning Analytics Local: 2.0.3

CPE2.3

• cpe:2.3:a:ibm_corporation:planning_analytics_local:2.0.3:*:*:*:*:*:*:*

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22007463&myns=swgimgmt&mynp=OCSSD29G&mync=E&cm_sp=swgimgmt-_-OCSSD29G-_-E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Denial of service

EUVDB-ID: #VU6665

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-9842

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in zlib due to an undefined left shift of negative number. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Update to version 2.0.4.

Vulnerable software versions

Planning Analytics Local: 2.0.3

CPE2.3

• cpe:2.3:a:ibm_corporation:planning_analytics_local:2.0.3:*:*:*:*:*:*:*

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22007463&myns=swgimgmt&mynp=OCSSD29G&mync=E&cm_sp=swgimgmt-_-OCSSD29G-_-E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Denial of service

EUVDB-ID: #VU6666

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-9843

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in zlib due to big-endian out-of-bounds pointer. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Update to version 2.0.4.

Vulnerable software versions

Planning Analytics Local: 2.0.3

CPE2.3

• cpe:2.3:a:ibm_corporation:planning_analytics_local:2.0.3:*:*:*:*:*:*:*

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22007463&myns=swgimgmt&mynp=OCSSD29G&mync=E&cm_sp=swgimgmt-_-OCSSD29G-_-E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Information disclosure

EUVDB-ID: #VU8083

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-10115

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to unknown error. A remote attacker can disclose important data on the target system

Mitigation

Update to version 2.0.4.

Vulnerable software versions

Planning Analytics Local: 2.0.3

CPE2.3

• cpe:2.3:a:ibm_corporation:planning_analytics_local:2.0.3:*:*:*:*:*:*:*

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22007463&myns=swgimgmt&mynp=OCSSD29G&mync=E&cm_sp=swgimgmt-_-OCSSD29G-_-E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Remote code execution

EUVDB-ID: #VU8082

Risk: High

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-10116

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

Mitigation

Update to version 2.0.4.

Vulnerable software versions

Planning Analytics Local: 2.0.3

CPE2.3

• cpe:2.3:a:ibm_corporation:planning_analytics_local:2.0.3:*:*:*:*:*:*:*

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22007463&myns=swgimgmt&mynp=OCSSD29G&mync=E&cm_sp=swgimgmt-_-OCSSD29G-_-E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Denial of service

EUVDB-ID: #VU8086

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-10108

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unknown error. A remote attacker can cause the application to crash.

Mitigation

Update to version 2.0.4.

Vulnerable software versions

Planning Analytics Local: 2.0.3

CPE2.3

• cpe:2.3:a:ibm_corporation:planning_analytics_local:2.0.3:*:*:*:*:*:*:*

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22007463&myns=swgimgmt&mynp=OCSSD29G&mync=E&cm_sp=swgimgmt-_-OCSSD29G-_-E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Denial of service

EUVDB-ID: #VU8085

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-10109

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unknown error. A remote attacker can cause the application to crash.

Mitigation

Update to version 2.0.4.

Vulnerable software versions

Planning Analytics Local: 2.0.3

CPE2.3

• cpe:2.3:a:ibm_corporation:planning_analytics_local:2.0.3:*:*:*:*:*:*:*

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22007463&myns=swgimgmt&mynp=OCSSD29G&mync=E&cm_sp=swgimgmt-_-OCSSD29G-_-E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.