Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in cURL (CVE-2018-16840 CVE-2018-16842)

Summary

IBM Dynamic System Analysis (DSA) Preboot has addressed the following vulnerabilities in cURL.

Vulnerability Details

CVEID: CVE-2018-16840 DESCRIPTION: cURL is vulnerable to a denial of service, caused by a heap use-after-free flaw in the Curl_close function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152299&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-16842 DESCRIPTION: cURL could allow a remote attacker to obtain sensitive information, caused by a heap-based buffer over-read in the display function in the command line tool. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152300&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

Product

|

Affected Version

—|—

IBM Dynamic System Analysis (DSA) Preboot

|

9.6

Remediation/Fixes

Firmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/&gt;

Product

|

Fix Version

—|—

IBM Dynamic System Analysis (DSA) Preboot
(ibm_fw_dsa_dsyte2z-9.65_anyos_32-64)

|

dsyte2z-9.65

Workarounds and Mitigations

None