IBM Support

Security Bulletin: Multiple Security Issues in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On

Security Bulletin


Summary

Multiple vulnerabilities in Apache HTTPD can cause denial of service and allow a remote attacker to bypass security restrictions and obtain sensitive information in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On.
A Vulnerability in the Memcached library used by the IBM Tealeaf Customer Experience on Cloud Network Capture Add-On could permit a denial of service attack.
A Vulnerability in the OpenSSL library used by the IBM Tealeaf Customer Experience on Cloud Network Capture Add-On could permit a a remote attacker to obtain sensitive information.

Vulnerability Details

CVEID: CVE-2017-7679
DESCRIPTION: Apache HTTPD could allow a remote attacker to obtain sensitive information, caused by a buffer overread in mod_mime. By sending a specially crafted Content-Type response header, a remote attacker could exploit this vulnerability to read one byte past the end of a buffer.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127420 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-7668
DESCRIPTION: Apache HTTPD is vulnerable to a denial of service, caused by a buffer overread in the ap_find_token() function. By sending a specially crafted sequence of request headers, a remote attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127419 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-3169
DESCRIPTION: Apache HTTPD is vulnerable to a denial of service, caused by a NULL pointer dereference in mod_ssl. By sending a specially crafted HTTP request to an HTTPS port, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127417 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-9951
DESCRIPTION: Memcached is vulnerable to a denial of service, caused by a heap-based buffer over-read in the try_read_command function. By sending a request to add/set a key, a remote attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128607 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-3735
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131047 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Tealeaf Customer Experience on Cloud Network Capture Add-On 16.1.01.

Remediation/Fixes

Product

VRMF
Remediation/First Fix
IBM Tealeaf Customer Experience on Cloud Network Capture Add-On
16.1.01

https://www-945.ibm.com/support/fixcentral

To download hybrid installer, one need to go to identify fixes page of fix central & in 'Individual fix IDs' field need to enter value in format 'FixID:AccessKey" where FixID is 9.0.2.5359_TLTransport_MSI_Hybrid and access key will vary for each customer. An unique access key for each applicable customer can be generated on demand.

Workarounds and Mitigations

Access to local networks containing networked Tealeaf servers should be limited to avoid unauthorized access to or disruption of Tealeaf services.
Access to PCA systems should be limited as much as possible

Get Notified about Future Security Bulletins

References

Off

Change History

03 July 2018 - Final Version

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only


Submitted for review by SWATHI PRABHU (prabhusw@us.ibm.com) at 14:50:23 on 05/23/2018. Security Bulletin Reviewer review completed with comments 'Review complete - Security bulletin for PR# 97860' by Anthony J. Gackle (tgackle@us.ibm.com) at 16:28:40 EST on 05/23/2018. Security Bulletin Review by Reviewing Attorney bypassed by deadmin (deadmin) at 16:28:42 EST on 05/23/2018. Security Bulletin Reviews Complete by deadmin (deadmin) at 16:28:42 EST on 05/23/2018.

98087
Submitted for review by SWATHI PRABHU (prabhusw@us.ibm.com) at 14:51:21 on 05/23/2018. Security Bulletin Reviewer review completed with comments 'Review complete - Security bulletin for PR# 98087' by Anthony J. Gackle (tgackle@us.ibm.com) at 16:39:12 EST on 05/23/2018. Security Bulletin Review by Reviewing Attorney bypassed by deadmin (deadmin) at 16:39:13 EST on 05/23/2018. Security Bulletin Reviews Complete by deadmin (deadmin) at 16:39:14 EST on 05/23/2018.

100888
Submitted for review by SWATHI PRABHU (prabhusw@us.ibm.com) at 14:52:28 on 05/23/2018. Security Bulletin Reviewer review completed with comments 'Review complete - Security bulletin for PR# 100888' by Anthony J. Gackle (tgackle@us.ibm.com) at 17:10:47 EST on 05/23/2018. Security Bulletin Review by Reviewing Attorney bypassed by deadmin (deadmin) at 17:10:48 EST on 05/23/2018. Security Bulletin Reviews Complete by deadmin (deadmin) at 17:10:49 EST on 05/23/2018.

[{"Product":{"code":"SSERNK","label":"Tealeaf Customer Experience"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
10 July 2018

UID

swg22016643