SB2018022101 - Multiple vulnerabilities in IBM Planning Analytics
Published: February 21, 2018
Security Bulletin ID
SB2018022101
Severity
High
Patch available
YES
Number of vulnerabilities
9
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Remote code execution (CVE-ID: CVE-2017-3511)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to unknown error related to the Java SE, Java SE Embedded, JRockit JCE component. A remote attacker can trick the victim into visiting a specially crafted webpage and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
2) Security restrictions bypass (CVE-ID: CVE-2017-3539)
The vulnerability allows a remote attacker to modify information on the target system.The weakness exists due to unknown error related to the Java SE, Java SE Embedded Security component. A remote attacker can trick the victim into visiting a specially crafted webpage, access and modify arbitrary data.
3) Denial of service (CVE-ID: CVE-2016-9840)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in zlib due to out-of-bounds pointer arithmetic in inftrees.c. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
4) Denial of service (CVE-ID: CVE-2016-9842)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in zlib due to an undefined left shift of negative number. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
5) Denial of service (CVE-ID: CVE-2016-9843)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in zlib due to big-endian out-of-bounds pointer. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
6) Information disclosure (CVE-ID: CVE-2017-10115)
The vulnerability allows a remote attacker to obtain potentially sensitive information.The weakness exists due to unknown error. A remote attacker can disclose important data on the target system
7) Remote code execution (CVE-ID: CVE-2017-10116)
The vulnerability allows a remote authenticated attacker to execute arbitrary code.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.
8) Denial of service (CVE-ID: CVE-2017-10108)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to unknown error. A remote attacker can cause the application to crash.
9) Denial of service (CVE-ID: CVE-2017-10109)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to unknown error. A remote attacker can cause the application to crash.
Remediation
Install update from vendor's website.