Security Bulletin
Summary
cURL vulnerabilities were disclosed by the cURL Project. OpenSSL is used by IBM Workload Manager. IBM Workload Manager has addressed the applicable CVEs
Vulnerability Details
CVE-ID: CVE-2016-8616
Description: cURL/libcurl could allow a remote attacker to bypass security restrictions, caused by the use of case insensitive comparisons. By using valid credentials exists for a protocol which supports connection-scoped credentials, an attacker could exploit this vulnerability to cause a connection to be reused.
CVSS Base Score: 5.300
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/118633 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVE-ID: CVE-2016-8621
Description: cURL/libcurl could allow a remote attacker to obtain sensitive information, caused by an out of bounds read error within the curl_getdate function. By using specially-crafted date strings, a remote attacker could exploit this vulnerability to execute arbitrary code in the context of the process and obtain sensitive information.
CVSS Base Score: 5.300
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/118639 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVE-ID: CVE-2016-8624
Description: cURL/libcurl could allow a remote attacker to bypass security restrictions, caused by the failure to parse the authority component of the URL when handling '#' character. By using a specially-crafted URL with '#' character, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base Score: 5.300
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/118642 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
TWS uses cURL libraries only for secure communication.
These security exposures do not apply to the embedded WebSphere Application Server but only to the TWS dynamic agent. These are the affected releases
Tivoli Workload Scheduler Distributed 8.6.0 FP04 and earlier
Tivoli Workload Scheduler Distributed 9.1.0 FP02 and earlier
Tivoli Workload Scheduler Distributed 9.2.0 FP02 and earlier
IBM Workload Scheduler Distributed 9.3.0 FP02 and earlier
IBM Workload Scheduler Distributed 9.4.0 GA
Remediation/Fixes
APAR IV92358 has been opened to address the cURL vulnerabilities for Tivoli Workload Scheduler.
The following limited availability fixes for IV92358 are available for download on FixCentral
8.6.0-TIV-TWS-FP0004-IV92358
to be applied on top of Tivoli Workload Scheduler Distributed 8.6.0 FP04
9.1.0-TIV-TWS-FP0002-IV92358
to be applied on top of Tivoli Workload Scheduler Distributed 9.1.0 FP02
9.2.0-TIV-TWS-FP0002-IV92358
to be applied on top of Tivoli Workload Scheduler Distributed 9.2.0 FP02
IV92358 has been already included in TWS 9.3 FP0003, and TWS 9.4 FP0001.
For Unsupported releases IBM recommends upgrading to a fixed, supported release of the product.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
October 17th 2017: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg22009692