Multiple vulnerabilities have been identified in sudo and glibc. Sudo and glibc are used by IBM SmartCloud Entry. IBM SmartCloud Entry has addressed the vulnerabilities
CVEID: CVE-2017-1000368**
DESCRIPTION:** sudo could allow a local attacker to gain elevated privileges, caused by improper parsing in the get_process_ttyname() function for Linux. An attacker with privileges to execute commands could exploit this vulnerability to overwrite any file on the filesystem with his command’s output and gain root privileges on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127578 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-1000366**
DESCRIPTION:** Glibc could allow a local attacker to execute arbitrary code on the system, caused by a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack. By using specially-crafted crafted LD_LIBRARY_PATH values, an attacker could exploit this vulnerability to trigger a stack memory allocation flaw and execute arbitrary code on the system.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127452 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
IBM SmartCloud Entry Appliance 2.3.0 through 2.3.0.4 fix pack 10,
IBM SmartCloud Entry Appliance 2.4.0 through 2.4.0.4 fix pack 10,
IBM SmartCloud Entry Appliance 3.1.0 through 3.1.0.4 fix pack 25,
IBM SmartCloud Entry Appliance 3.2.0 through 3.2.0.4 fix pack 25
Product
|
VRMF
|
APAR
|
Remediation/First Fix
—|—|—|—
SmartCloud Entry | 3.2| None| IBM SmartCloud Entry Appliance 3.2.0.4 fix pack 26:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.2.0.4-IBM-SCE_APPL-FP26&source=SAR
For IBM SmartCloud Entry 2.3, IBM SmartCloud Entry 2.4 and IBM SmartCloud Entry 3.1, IBM recommends upgrading to a fixed, supported release of the product.
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm cloud manager with openstack | eq | 3.2 |