Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMF721973ABFE9B85335EC078ABADED17BA6D7B7B822DB364C442E7B0CAEA2C67F
HistoryJun 18, 2018 - 1:32 a.m.

Security Bulletin: Multiple vulnerabilities in PCRE affect PowerKVM

2018-06-1801:32:32
www.ibm.com
19

0.151 Low

EPSS

Percentile

95.9%

JSON

Summary

PowerKVM is affected by several vulnerabilities in the PCRE library. These vulnerabilities are now fixed.

Vulnerability Details

CVEID: CVE-2015-8386**
DESCRIPTION:** PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of the interaction of lookbehind assertions and mutually recursive subpatterns. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108461 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8388**
DESCRIPTION:** PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling ofpattern and related patterns with an unmatched closing parenthesis. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108459 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8391**
DESCRIPTION:** PCRE could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of certain nesting by the pcre_compile function. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108456 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-3191**
DESCRIPTION:** PCRE and PCRE2 are vulnerable to a stack-based buffer overflow, caused by the improper handling of the (ACCEPT) substring by the compile_branch function in pcre_compile.c. By using a specially-crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111583 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-2328**
DESCRIPTION:** PCRE is vulnerable to a denial of service, caused by the improper handling of patterns with certain internal recursive back references. A remote attacker could exploit this vulnerability using a specially crafted regular expression to cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109276 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-3217**
DESCRIPTION:** PCRE is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the match() function. By sending a specially-crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103582 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-5073**
DESCRIPTION:** PCRE is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the find_fixedlength() function. By sending a specially-crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104098 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-8385**
DESCRIPTION:** PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of pattern and related patterns with certain forward references. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108462 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

PowerKVM 2.1 and PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using “yum update”.

Fix images are made available via Fix Central. For version 3.1, see https://ibm.biz/BdHggw for 3.1.0.2 (3.1.0 SP2) or later.

For version 2.1, see PowerKVM 2.1.1.3-65. Update 10 at https://ibm.biz/BdEnT8 or later. Customers running v2.1 are, in any case, encouraged to upgrade to v3.1.

For v2.1 systems currently running fix levels of PowerKVM prior to 2.1.1, please see <http://download4.boulder.ibm.com/sar/CMA/OSA/05e4c/0/README&gt; for prerequisite fixes and instructions.

Workarounds and Mitigations

None

CPENameOperatorVersion
powerkvmeq2.1
powerkvmeq3.1

Related

centos 1
openvas 19
redhat 2
oraclelinux 1
nessus 40
amazon 4
fedora 6
f5 6
ibm 15
ubuntu 2
cve 8
cvelist 8
nvd 8
debiancve 8
prion 8
ubuntucve 13
openwrt 1
veracode 36
symantec 1
gentoo 1
mageia 2
freebsd 4
alpinelinux 1
osv 1
zdi 1
securityvulns 2
centos
centos
pcre security update
2016-05-13 00:44:08
openvas
openvas
RedHat Update for pcre RHSA-2016:1025-01
2016-06-03 00:00:00
Huawei EulerOS: Security Advisory for pcre (EulerOS-SA-2016-1023)
2020-01-23 00:00:00
CentOS Update for pcre CESA-2016:1025 centos7
2016-05-17 00:00:00
redhat
redhat
(RHSA-2016:1025) Important: pcre security update
2016-05-11 11:17:05
(RHSA-2016:1132) Important: rh-mariadb100-mariadb security update
2016-05-26 08:10:09
oraclelinux
oraclelinux
pcre security update
2016-05-11 00:00:00
nessus
nessus
CentOS 7 : pcre (CESA-2016:1025)
2016-05-13 00:00:00
Oracle Linux 7 : pcre (ELSA-2016-1025)
2016-05-12 00:00:00
RHEL 7 : pcre (RHSA-2016:1025)
2016-05-12 00:00:00
amazon
amazon
Important: pcre
2018-09-05 20:42:00
Medium: glib2
2023-06-07 23:52:00
Medium: glib2
2023-06-21 19:11:00
fedora
fedora
[SECURITY] Fedora 22 Update: mingw-pcre-8.38-1.fc22
2016-02-17 04:25:54
[SECURITY] Fedora 23 Update: mingw-pcre-8.38-1.fc23
2016-02-17 04:01:55
[SECURITY] Fedora 22 Update: pcre-8.38-1.fc22
2016-01-04 19:59:47
f5
f5
SOL20225390 - Multiple PCRE vulnerabilities
2016-02-04 00:00:00
K20225390 : Multiple PCRE vulnerabilities
2016-02-04 00:00:00
SOL17331 - PCRE library vulnerability CVE-2015-5073
2015-09-29 00:00:00
ibm
ibm
Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities in the consumed PCRE library.
2023-12-20 20:15:48
Security Bulletin: Vulnerability with the open source Perl Compatible Regular Expression (PCRE) library used in IBM Aspera Shares 1.9.2 and earlier
2018-12-08 04:55:34
Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by a vulnerabilty in PCRE (CVE-2015-3217)
2023-12-07 22:31:02
ubuntu
ubuntu
PCRE vulnerabilities
2016-03-29 00:00:00
PCRE vulnerabilities
2015-07-29 00:00:00
cve
cve
CVE-2015-8391
2015-12-02 01:59:15
CVE-2015-8388
2015-12-02 01:59:12
CVE-2015-3217
2016-12-13 16:59:02
cvelist
cvelist
CVE-2015-8388
2015-12-02 01:00:00
CVE-2015-8386
2015-12-02 00:00:00
CVE-2015-8385
2015-12-02 01:00:00
nvd
nvd
CVE-2015-8388
2015-12-02 01:59:12
CVE-2015-8391
2015-12-02 01:59:15
CVE-2015-8386
2015-12-02 01:59:10
debiancve
debiancve
CVE-2015-8388
2015-12-02 01:59:12
CVE-2015-8385
2015-12-02 01:59:09
CVE-2015-8386
2015-12-02 01:59:10
prion
prion
Code injection
2015-12-02 01:59:00
Buffer overflow
2015-12-02 01:59:00
Stack overflow
2016-12-13 16:59:00
ubuntucve
ubuntucve
CVE-2015-8391
2015-12-01 00:00:00
CVE-2015-8388
2015-12-01 00:00:00
CVE-2015-8386
2015-12-01 00:00:00
openwrt
openwrt
pcre: Security update (18 CVEs)
2016-01-28 12:40:02
veracode
veracode
Denial Of Service (DoS)
2019-05-02 05:34:19
Denial Of Service (DoS)
2019-05-02 05:34:19
Denial Of Service (DoS)
2019-05-02 05:34:18
symantec
symantec
SA128 : Multiple PCRE Vulnerabilities
2016-07-07 08:00:00
gentoo
gentoo
libpcre: Multiple Vulnerabilities
2016-07-09 00:00:00
mageia
mageia
Updated pcre package fixes security vulnerability
2015-07-05 20:22:03
Updated pcre packages fix security vulnerabilities
2016-05-24 01:00:58
freebsd
freebsd
pcre -- Heap Overflow Vulnerability in find_fixedlength()
2015-06-23 00:00:00
pcre -- stack buffer overflow
2016-02-09 00:00:00
pcre -- multiple vulnerabilities
2015-05-29 00:00:00
alpinelinux
alpinelinux
CVE-2016-3191
2016-03-17 23:59:01
osv
osv
CVE-2016-3191
2016-03-17 23:59:00
zdi
zdi
PCRE Regular Expression Compilation Stack Buffer Overflow Remote Code Execution Vulnerability
2016-08-17 00:00:00
securityvulns
securityvulns
PCRE multiple security vulnerabilities
2015-08-02 00:00:00
[USN-2694-1] PCRE vulnerabilities
2015-08-02 00:00:00

0.151 Low

EPSS

Percentile

95.9%

JSON
Related for F721973ABFE9B85335EC078ABADED17BA6D7B7B822DB364C442E7B0CAEA2C67F
centos1openvas19redhat2oraclelinux1nessus40amazon4fedora6f56ibm15ubuntu2cve8cvelist8nvd8debiancve8prion8ubuntucve13openwrt1veracode36symantec1gentoo1mageia2freebsd4alpinelinux1osv1zdi1securityvulns2