IBM Support

Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple php vulnerabilities

Security Bulletin


Summary

Multiple security vulnerabilities have been discovered in php that is embedded in the IBM FSM. This bulletin addresses these vulnerabilities.

Vulnerability Details

CVEID: CVE-2015-8835
DESCRIPTION:
PHP could allow a remote attacker to execute arbitrary code on the system, caused by the failure to properly retrieve keys by the make_http_soap_request function. A remote attacker could exploit this vulnerability using specially crafted serialized data to execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114527 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8866
DESCRIPTION:
PHP could allow a remote attacker to obtain sensitive information, caused by the failure to isolate each thread from libxml_disable_entity_loader changes in other threads by ext/libxml/libxml.c. An attacker could exploit this vulnerability using a specially crafted XML document to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks.
CVSS Base Score: 9.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113954 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2016-3141
DESCRIPTION:
PHP could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in WDDX Deserialize when processing XML data. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111456 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2014-9767
DESCRIPTION:
PHP could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to ZipArchive::extractTo containing directory traversal sequences to view arbitrary files on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111541 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-3185
DESCRIPTION:
PHP could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion in make_http_soap_request(). By sending a specially crafted SOAP request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111539 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-4070
DESCRIPTION:
PHP is vulnerable to a denial of service, caused by an integer overflow in the php_raw_url_encode function. A remote attacker could exploit this vulnerability using an overly long string to cause the application to crash. Note: The details of this vulnerability have been disputed by the vendor.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114120 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-4537
DESCRIPTION:
PHP is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by bcpowmod. By sending a negative string, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113005 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-4538
DESCRIPTION:
PHP is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by bcpowmod when handling _one_ definition. A remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113007 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-4542
DESCRIPTION:
PHP is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the exif_read_data function. By sending a specially-crafted spprintf call, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to enter into an infinite loop.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113012 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-4543
DESCRIPTION:
PHP is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the exif_read_data function. By using the Illegal IFD size validation, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to enter into an infinite loop.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-4544
DESCRIPTION:
PHP is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the exif_read_data function. By using the Invalid TIFF start validation, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to enter into an infinite loop.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113014 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-5094
DESCRIPTION:
PHP could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the php_html_entities() function. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113516 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-5095
DESCRIPTION:
PHP could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the php_html_entities() function. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113517 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-5096
DESCRIPTION:
PHP could allow a remote attacker to execute arbitrary code on the system, caused by an integer underflow in fread/gzread. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113518 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)



CVEID: CVE-2016-5399
DESCRIPTION:
PHP could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the bzread() function. By sending a specially-crafted request, an attacker could exploit this vulnerability to upload a malformed PHP script to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115332 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8935
DESCRIPTION:
PHP is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the header() function with Internet Explorer. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114314 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-5766
DESCRIPTION:
PHP is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the _gd2GetHeader() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114386 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-5767
DESCRIPTION:
PHP is vulnerable to a heap-based buffer overflow, caused by an integer interflow in the gdImagePaletteToTrueColor() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114387 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-5769
DESCRIPTION:
PHP is vulnerable to a heap-based buffer overflow, caused by an integer overflow when mcrypt_generic try to calculate data_size. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114389 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-5772
DESCRIPTION:
PHP could allow a remote attacker to execute arbitrary code on the system, caused by a double-free error in wddx_deserialize. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114392 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-6288
DESCRIPTION:
PHP could allow a remote attacker to execute arbitrary code on the system, caused by a buffer over-read in the php_url_parse_ex function. An attacker could exploit this vulnerability using vectors involving the smart_str data type to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115541 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-6289
DESCRIPTION:
PHP is vulnerable to a stack-based buffer overflow, caused by an integer overflow in the virtual_file_ex function. By using a specially crafted extract operation on a ZIP archive, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115540 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-6290
DESCRIPTION:
PHP could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in session.c. An attacker could exploit this vulnerability using vectors related to session deserialization to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115539 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-6291
DESCRIPTION:
PHP could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds array in the exif_process_IFD_in_MAKERNOTE function. By persuading a victim to open a specially crafted JPEG image, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115538 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-6296
DESCRIPTION:
PHP is vulnerable to a heap-based buffer overflow, caused by an integer signedness error in the simplestring_addn function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115533 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-6297
DESCRIPTION:
PHP is vulnerable to a stack-based buffer overflow, caused by an integer overflow in the php_stream_zip_opener function. By using a specially crafted zip:// URL, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115532 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Flex System Manager 1.3.4.x
Flex System Manager 1.3.3.x
Flex System Manager 1.3.2.x

Remediation/Fixes

IBM recommends updating the FSM using the instructions referenced in this table.

      Product
      VRMF
      APAR
      Remediation
Flex System Manager
      1.3.4.x
IT16774
Ensure the steps in Technote 761981453 are completed, and then install fsmfix1.3.4.0_IT16772_IT16773_IT16774_IT16776
Flex System Manager
      1.3.3.x
IT16774
Ensure the steps in Technote 736218441 are completed and then install fsmfix1.3.3.0_IT16772_IT16773_IT16774_IT16776
Flex System Manager
      1.3.2.x
IT16774
Ensure the steps in Technote 736218441 are completed and then install fsmfix1.3.2.0_IT16772_IT16773_IT16774_IT16776

For 1.1.x.x, 1.2.x.x, 1.3.0.x and 1.3.1.x IBM recommends upgrading to a fixed, supported version/release of the product.

You should verify applying this fix does not cause any compatibility issues. The fix disables older encrypted protocols by default. If you change the default setting after applying the fix, you will expose yourself to the attack described in IT15244. IBM recommends that you review your entire environment to identify other areas where you have enabled weak encryption and take appropriate mitigation and remediation actions.

Workarounds and Mitigations

none

Get Notified about Future Security Bulletins

References

Off

Change History

06 Sept 2016 : Original version published
28 Sept 2016: Revised the recommended Fixes

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

Adv 6236 / PSIRT 81179

[{"Product":{"code":"HW94A","label":"Flex System Manager Node"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
17 June 2018

UID

isg3T1024229