Security Bulletin: OpenSource ICU4C Vulnernabilities in IBM eDiscovery Manager

Summary

International Components for Unicode (ICU) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the Locale class in common/locid.cpp. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

Vulnerability Details

CVEID: CVE-2016-7415 DESCRIPTION: International Components for Unicode (ICU) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the Locale class in common/locid.cpp. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/117035&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-6293 DESCRIPTION: International Components for Unicode (ICU) could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read in the uloc_acceptLanguageFromHTTP function. An attacker could exploit this vulnerability using a call with a long httpAcceptLanguage argument to execute arbitrary code on the system. Note: This vulnerability also affect PHP.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/115536&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM eDiscovery Manager Version 2.2.2

Remediation/Fixes

Product

| VRM|Remediation
—|—|—
IBM eDiscovery Manager| 2.2.2| Use IBM eDiscovery Manager 2.2.2.2 Interim Fix IF0003 available at https://www-945.ibm.com/support/fixcentral/

Workarounds and Mitigations

None. Install the interim fix.