Security Bulletin
Summary
Multiple vulnerabilities in Open Source VMware affects IBM PureApplication System. IBM PureApplication System has addressed Common Vulnerabilities Exposures CVE-2017-4903, CVE-2017-4904, CVE-2017-4905.
Additionally this bulletin includes information about the release of fix for Common Vulnerabilities Exposures. IBM PureApplication System has addressed the applicable CVEs CVE-2017-4941 and CVE-2017-4925 that cover additional CVEs see Reference section for details.
Vulnerability Details
CVEID: CVE-2017-4905
DESCRIPTION: Multiple VMware products could allow a local attacker to obtain sensitive information, caused by uninitializing stack memory usage. A local attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123963 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-4904
DESCRIPTION: Multiple VMware products could allow a local attacker to execute arbitrary code on the system, caused by uninitializing stack memory usage in XHCI controller. An attacker could exploit this vulnerability to execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123962 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-4903
DESCRIPTION: Multiple VMware products could allow a local attacker to execute arbitrary code on the system, caused by uninitializing stack memory usage in SVGA. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123961 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-4925
DESCRIPTION: Multiple VMware products are vulnerable to a denial of service, caused by a NULL pointer dereference when handling guest RPC requests. By sending a specially-crafted RPC request, a local authenticated attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/132145 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-4941
DESCRIPTION: VMware ESXi, Workstation and Fusion is vulnerable to a stack-based overflow, caused by improper bounds checking by the remote management function. By sending a specially crafted set of VNC packets, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 8.8
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/136594 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM PureApplication System V2.2
IBM PureApplication System V2.1
Remediation/Fixes
The PureSystems® Managers. on IBM PureApplication System is affected.
As for CVE-2017-4903, CVE-2017-4904, CVE-2017-4905, the solution is to upgrade the IBM PureApplication System to the following fix level:
IBM PureApplication System V2.2.0.0, V2.2.1.0, V2.2.2.0, V2.2.2.1, V2.2.2.2, V2.2.3.0, V2.2.3.1, V2.2.3.2
- Upgrade to IBM PureApplication System V2.2.4.0. Contact IBM for assistance
- AIX
- http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.4.0&platform=AIX&function=fixId&fixids=pure-appsys-power_2.2.4.0&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc
- LINUX
- http://www.ibm.com/support/fixcentral/swg/quickorder?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.2.4.0&platform=Linux&function=fixId&fixids=Group_Content_PureApplicationSystem_2.2.4.0_Intel&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc
IBM PureApplication System V2.1.0.0, V2.1.0.1, V2.1.0.2, V2.1.0.0, V2.1.1.0, V2.1.2.0, V2.1.2.1, V2.1.2.2, V2.1.2.3, V2.1.2.4:
- IBM recommends upgrading to a fixed version of the product. Contact IBM for assistance
IBM PureApplication V2.2.5.0
- Upgrade to IBM PureApplication V2.2.5. Contact IBM for assistance.
Workarounds and Mitigations
Get Notified about Future Security Bulletins
References
Change History
October 2, 2017: Original document published
October 10, 2017: Updates to Affected Versions
November 10, 2017: Updates to Remediation Fixes
October 10, 2017: Updates to Affected Versions
June 24, 2019: Updates to Remediation Fixes
June 26, 2019: Updates References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
Advisory ID 8332
Product Record ID 101694
Was this topic helpful?
Document Information
Modified date:
25 June 2019
UID
swg22009145