There are vulnerabilities in the Open Source GNU glibc that is used by the OS Images for IBM PureApplication Software Suite, IBM Bluemix Local System and IBM PureApplication System/Software
CVEID: CVE-2014-9761**
DESCRIPTION:** GNU C Library (glibc) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the nan function. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111085 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8778**
DESCRIPTION:** GNU C Library (glibc) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in hcreate and hcreate_r. An attacker could exploit this vulnerability to trigger an out-of-bound memory access and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111086 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-8779**
DESCRIPTION:** GNU C Library (glibc) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the catopen function. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111087 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
IBM OS Image for Red Hat Linux Systems 2.1.5.0
IBM OS Image for Red Hat Linux Systems 2.1.6.0
IBM OS Image for Red Hat Linux Systems 2.1.7.0
IBM OS Image for Red Hat Linux Systems 2.1.8.0
IBM OS Image for Red Hat Linux Systems 3.0.5.0
IBM OS Image for Red Hat Linux Systems 3.0.6.0
IBM OS Image for Red Hat Linux Systems 3.0.7.0
The solution is to upgrade the IBM PureApplication System to the following fix level:
IBM PureApplication V2.2.0.0, V2.2.1.0, V2.2.2.0, V2.2.2.1, V2.2.2.2, V2.2.3.0, V2.2.3.1, V2.2.3.2, V2.2.4.0
PureApplication Software:
Linux:
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.5.0&platform=All&function=fixId&fixids=pureappsw_content_2250&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc
Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159>
None