Flashes (Alerts)
Abstract
Oracle Outside In Technology contains exploitable vulnerabilities in the CorelDRAW (CVE-2011-2264) file parser, the File ID SDK (CVE-2011-0794), and file filters (CVE-2011-0808). Each of these vulnerabilities may allow a remote, unauthenticated user to execute arbitrary code on a vulnerable system when processing specially-crafted files using the Outside In Technology. The three impacted file formats are identified below:
ID File Format
CVE-2011-2264 CorelDRAW
CVE-2011-0794 Microsoft CAB
CVE-2011-0808 Lotus 123
Content
VULNERABILITY DETAILS:
Details of each of these vulnerabilities are as follows:
CVE ID: CVE-2011-2264
CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/68650 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE ID: CVE-2011-0794
CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/66916 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE ID: CVE-2011-0794
CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/66929 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
AFFECTED PLATFORMS:
Windows® on 32-bit AMD and Intel systems (x86)
Windows® on AMD64 and Intel EM64T systems (x64)
Linux® on 32-bit AMD and Intel systems (x86)
Linux® on AMD64 and Intel(R) EM64T systems (x64)
AIX 64-bit
Solaris 64-bit on UltraSPARC systems
Solaris 64-bit on x64 systems
HP-UX on HP Integrity Itanium-based systems (IA64)
REMEDIATION:
Fix:
Check the accSuiteRelease.properties file located in <DB2_install_dir>/db2tss.
If the accSuiteRelease.properties file does not exist, or if the properties file exists, but the version number in the properties file is less than V2.0.0, an upgrade is necessary :
1. Download the DB2 Accessories Suite for DB2 9.7 Fix pack 4 V2.0.0 and extract the installer
2. Stop the text search service: db2ts stop for text
3. Run the installer to upgrade your existing setup.
It is not necessary to run the richtextTool to disable the setup first, the installer will recognize the existing setup and apply the upgrade.
Workaround:
None
Mitigation:
To minimize these three exposures, please avoid processing untrusted CorelDRAW, Lotus 123, or Microsoft CAB files until the upgrade of the DB2 Accessories Suite has been applied.
REFERENCES:
If you have immediate concerns about this vulnerability or require more information regarding this security bulletin, please contact IBM Support.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Was this topic helpful?
Document Information
Modified date:
25 September 2022
UID
swg21578978