Security Bulletin: Vulnerabilities in unzip affect Power Hardware Management Console (CVE-2014-8139 CVE-2014-8140 CVE-2014-8141 CVE-2014-9636)

Summary

Unzip is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2014-8139**
DESCRIPTION:** Info-ZIP UnZip is vulnerable to a heap-based buffer overflow, caused by improper bounds checking within the CRC32 verification. A lo
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99371&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-8140**
DESCRIPTION:** Info-ZIP UnZip is vulnerable to a buffer overflow, caused by improper bounds checking by the test_compr_eb() function. A local attac
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99372&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-8141**
DESCRIPTION:** Info-ZIP UnZip is vulnerable to a buffer overflow, caused by improper bounds checking by the getZip64Data() function. A local attack
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99373&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-9636**
DESCRIPTION:** Info-ZIP unzip is vulnerable to a denial of service, caused by an out-of-bound access in extract.c. By persuading a victim to open a specially-crafted zip file, a local attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 1.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100264&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

Power HMC V7.7.3.0

Power HMC V7.7.8.0

Power HMC V7.7.9.0

Power HMC V8.1.0.0

Power HMC V8.2.0.0

Power HMC V8.3.0.0

Remediation/Fixes

The following fixes are available on IBM Fix Central at: http://www-933.ibm.com/support/fixcentral/

Product|
VRMF|
APAR|
Remediation/First Fix
—|—|—|—

Power HMC|
V7.7.3.0 SP7|
MB03923| Apply eFix MH01535

Power HMC|
V7.7.8.0 SP2|
MB03924|
Apply eFix MH01536

Power HMC|
V7.7.9.0 SP2|
MB03925|
Apply eFix MH01537

Power HMC|
V8.8.1.0 SP2|
MB03920|
Apply eFix MH01532

Power HMC|
V8.8.2.0 SP1|
MB03926|
Apply eFix MH01538

Power HMC|
V8.8.3.0|
MB03927|
Apply eFix MH01539

Note:

1. For unsupported releases IBM recommends upgrading to a fixed, supported release of the product.

2. After applying the PTF, you should restart the HMC.

3. HMC V7.7.3 support is extended only for managing the Power 775 (9125-F2C) also called “PERCS” and “IH”. End Of Service date for managing all other server models was 2013.05.31.

Workarounds and Mitigations

None