This bulletin addresses CVE-2016-2842 for IBM Sterling Connect:Express for Unix.
OpenSSL vulnerabilities were disclosed on March 1, 2016 by the OpenSSL Project. OpenSSL is used by IBM Sterling Connect:Express for Unix. IBM Sterling Connect:Express for Unix addressed the applicable CVEs with the details provided in:
An additional CVE, CVE-2016-2842, was also fixed but was not initially included in the March 1, 2016 OpenSSL Project announcement or in the associated security bulletin for this product. This bulletin only addresses CVE-2016-2842. See the bulletin linked above for the other CVEs that were addressed by the March 1, 2016 OpenSSL Project.
CVE-ID: CVE-2016-2842 Description: OpenSSL is vulnerable to a denial of service, caused by the failure to verify that a certain memory allocation succeeds by the doapr_outch function. A remote attacker could exploit this vulnerability using a specially crafted string to cause an out-of-bounds write or consume an overly large amount of resources.
CVSS Base Score: 7.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/111304 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
IBM Sterling Connect:Express for UNIX 1.4.6
- All versions prior to 1.4.6.1 iFix 146-113
IBM Sterling Connect:Express for UNIX 1.5.0.12
- All versions prior to 1.5.0.12 iFix 150-1206
VRMF
| Remediation
—|—
1.4.6| Contact your local IBM Remote Technical Support Center to request Connect:Express 1.4.6.1 iFix 146-114
1.5.0.12| Apply 1.5.0.12 iFix 150-13, available on Fix Central
None