Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities

Summary

IBM Security Guardium has addressed the following vulnerabilities.

Vulnerability Details

CVEID:CVE-2019-10639
**DESCRIPTION:**Linux Kernel could allow a remote attacker to obtain sensitive information, caused by the use of a weak function to generate IP packet IDs. By sniffing the network, an attacker could exploit this vulnerability to obtain hash collisions information to derive the hashing key.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167414 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2019-14821
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds access issue. By using the mmio ring buffer, a local authenticated attacker could exploit this vulnerability to cause the system to crash or potentially escalate privileges on the system.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167325 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-16746
**DESCRIPTION:**Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by missing check of the length of variable elements in a beacon head by the net/wireless/nl80211.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the system to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167566 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:CVE-2019-16714
**DESCRIPTION:**Linux Kernel could allow a remote attacker to obtain sensitive information, caused by the failure to initialize the tos and flags fields in the rds6_inc_info_copy function in net/rds/recv.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information from the kernel stack memory.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167373 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Product

|

VRMF

|

Remediation / First Fix

—|—|—
IBM Security Guardium| 10.6| | https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Sec…

IBM Security Guardium| 11.0| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Secur…
IBM Security Guardium| 11.1| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Secur…

Workarounds and Mitigations

None