Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM1F0E1A738E3CF51CD4D7320BAB67D7F6EEB18D5923891F3EA1D5C7BE8168D9C0
HistoryApr 26, 2021 - 9:05 p.m.

Security Bulletin: wscanhw and wscansw vulnerabilities in scanner component of IBM License Metric Tool v9, v7.5, 7.2.2, IBM Endpoint Manger for Software Use Analysis v9 and IBM Tivoli Asset Discovery for Distributed v7.5, v7.2.2

2021-04-2621:05:44
www.ibm.com
15
ibm
license metric tool
endpoint manager
tivoli asset discovery
vulnerabilities
cit scanner
format string
stack overflow
disruption of service
cve-2014-8927
cve-2014-8926
remote user
xml query
cpu usage
crash
technote
remediation
self-update
endpoint manager sites

EPSS

0.003

Percentile

70.8%

JSON

Summary

CIT scanner component contains format string vulnerability in wscanhw executable and stack overflow vulnerability in wscansw executable.
Successful exploitation of the vulnerabilities allows for scanner process manipulation, and possibly crashing the process.

Vulnerability Details

CVEID: CVE-2014-8927**
DESCRIPTION:** IBM License Metric Tool contains a disruption of service vulnerability. A remote user can issue a specially crafted XML query to increase CPU usage and cause the application to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99432 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2014-8926**
DESCRIPTION:** IBM License Metric Tool contains a disruption of service vulnerability. A remote user can issue a specially crafted XML query to increase CPU usage and cause the application to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99431 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

IBM License Metric Tool v9, v7.5, 7.2.2 IBM Endpoint Manger for Software Use Analysis v9 IBM Tivoli Asset Discovery for Distributed v7.5, v7.2.2

Remediation/Fixes

  • Refer to the following technote with information on how to download and apply fixed CIT component: <http://www.ibm.com/support/docview.wss?uid=swg24040006&gt;. The CIT component needs to be updated on each computer where CIT component is installed. Please mind, that in the case of both v9 products, the “5724-D33” identifier in the CIT installation command should be replaced by “SUA” identifier.
  • With the next v9 release the fixed CIT component will be available on IBM Endpoint Manager sites for the v9 products.
  • With the next v7.5 and v7.2.2 releases the fixed CIT component will be available as a part of self-update functionality. This technote will be updated with releases information as they become available.

Workarounds and Mitigations

None

Related

cve 2
nvd 2
prion 2
cvelist 2
cve
cve
CVE-2014-8926
2015-05-25 14:59:05
CVE-2014-8927
2015-05-25 14:59:06
nvd
nvd
CVE-2014-8927
2015-05-25 14:59:06
CVE-2014-8926
2015-05-25 14:59:05
prion
prion
Code injection
2015-05-25 14:59:00
Code injection
2015-05-25 14:59:00
cvelist
cvelist
CVE-2014-8927
2015-05-25 14:00:00
CVE-2014-8926
2015-05-25 14:00:00

EPSS

0.003

Percentile

70.8%

JSON
Related for 1F0E1A738E3CF51CD4D7320BAB67D7F6EEB18D5923891F3EA1D5C7BE8168D9C0
cve2nvd2prion2cvelist2