SB2017050843 - Multiple vulnerabilities in IBM Flex System Chassis Management Module (CMM)
Published: May 8, 2017 Updated: February 18, 2025
Security Bulletin ID
SB2017050843
Severity
High
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Heap-out-of-bounds write (CVE-ID: CVE-2017-9228)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists in the mbstring due to heap out-of-bounds write in bitset_set_range() during regular expression compilation due to incorrect state transition in parse_char_class(). A remote attacker can trigger out-of-bounds write memory corruption and execute arbitrary code with web server privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Null pointer dereference (CVE-ID: CVE-2017-9229)
The vulnerability allows a remote attacker to cause DoS condition.The weakness exists in the mbstring due to an error in handling of reg->dmin in forward_search_range(). A remote attacker can trigger SIGSEGV in left_adjust_char_head() during regular expression compilation, cause NULL pointer dereference and the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Remediation
Install update from vendor's website.