Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libtirpc (CVE-2018-14622 CVE-2018-14621)

Summary

IBM Dynamic System Analysis (DSA) Preboot has addressed the following vulnerabilities in libtirpc.

Vulnerability Details

CVEID: CVE-2018-14622 DESCRIPTION: Libtirpc is vulnerable to a denial of service, caused by a NULL pointer dereference in the rpc-based application. By flooding the applications with new connections, a remote attacker could exploit this vulnerability to exhaust the resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149185&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-14621 DESCRIPTION: Libtirpc is vulnerable to a denial of service, caused by an error in EMFILE case in svc_vc.c. By using poll rather than select, a local attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149184&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Product

|

Affected Version

—|—

IBM Dynamic System Analysis (DSA) Preboot

|

9.6

Remediation/Fixes

Firmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/&gt;

Product

|

Fix Version

—|—

IBM Dynamic System Analysis (DSA) Preboot
(ibm_fw_dsa_dsyte2z-9.65_anyos_32-64)

|

dsyte2z-9.65

Workarounds and Mitigations

None