Multiple security vulnerabilities have been discovered in expat that is embedded in the IBM FSM. This bulletin addresses these vulnerabilities.
CVEID: CVE-2012-0876**
DESCRIPTION:** Expat is vulnerable to a denial of service, caused by insufficient randomization of hash data structures. By sending multiple specially-crafted HTTP POST requests to an affected application containing conflicting hash key values, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73868 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2012-1147**
DESCRIPTION:** Expat is vulnerable to a denial of service, caused by a resource leak in readfilemap.c when handling XML data. A remote attacker could exploit this vulnerability to cause the application using the vulnerable XML parsing library to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73866 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2012-1148**
DESCRIPTION:** Expat is vulnerable to a denial of service, caused by a memory leak in poolGrow when handling XML data. A remote attacker could exploit this vulnerability to cause the application using the vulnerable XML parsing library to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73867 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-1283**
DESCRIPTION:** Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104964 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID: CVE-2016-0718**
DESCRIPTION:** Expat XML parser is vulnerable to a denial of service, caused by an out-of-bounds read within XML parser. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113408 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Flex System Manager 1.3.4.x
Flex System Manager 1.3.3.x
Flex System Manager 1.3.2.x
IBM recommends updating the FSM using the instructions referenced in this table.
Product |
VRMF |
APAR |
Remediation
—|—|—|—
Flex System Manager|
1.3.4.x |
IT16219
| Install fsmfix1.3.4.0_IT16216_IT16217_IT16218_IT16219
Flex System Manager|
1.3.3.x |
IT16219
| Install fsmfix1.3.3.0_IT16216_IT16217_IT16218_IT16219
Flex System Manager|
1.3.2.x |
IT16219
| Install fsmfix1.3.2.0_IT16216_IT16217_IT16218_IT16219
For 1.1.x.x, 1.2.x.x, 1.3.0.x and 1.3.1.x IBM recommends upgrading to a fixed, supported version/release of the product.
None
CPE | Name | Operator | Version |
---|---|---|---|
flex system manager node | eq | any |