SB2017050832 - Multiple vulnerabilities in IBM BladeCenter Advanced Management Module (AMM)

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017050832

SB2017050832 - Multiple vulnerabilities in IBM BladeCenter Advanced Management Module (AMM)

Published: May 8, 2017 Updated: October 27, 2023

Security Bulletin ID SB2017050832
CSH Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 25% Medium 75%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-7942)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The XGetImage function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving image type and geometry, which triggers out-of-bounds read operations.


2) Buffer overflow (CVE-ID: CVE-2013-7439)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to multiple off-by-one errors in the MakeBigReq and SetReqLen macros in include/X11/Xlibint.h in X11R6.x and libX11. A remote attacker can create a specially crafted request, trigger buffer overflow and execute arbitrary code on the target system.


3) Input validation error (CVE-ID: CVE-2013-1981)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple integer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XQueryFont, (2) _XF86BigfontQueryFont, (3) XListFontsWithInfo, (4) XGetMotionEvents, (5) XListHosts, (6) XGetModifierMapping, (7) XGetPointerMapping, (8) XGetKeyboardMapping, (9) XGetWindowProperty, (10) XGetImage, (11) LoadColornameDB, (12) XrmGetFileDatabase, (13) _XimParseStringFile, or (14) TransFileName functions. Additional products added per http://www.ubuntu.com/usn/USN-1854-1/


4) Buffer overflow (CVE-ID: CVE-2013-2004)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The (1) GetDatabase and (2) _XimParseStringFile functions in X.org libX11 1.5.99.901 (1.6 RC1) and earlier do not restrict the recursion depth when processing directives to include files, which allows X servers to cause a denial of service (stack consumption) via a crafted file.


Remediation

Install update from vendor's website.

References