IBM Support

Security Bulletin: IBM i is affected by networking BIND vulnerabilities CVE-2018-5744 CVE-2019-6465 and CVE-2018-5745.

Security Bulletin


Summary

ISC BIND is vulnerable to these security vulnerabilities. IBM i has addressed these vulnerabilities.

This security bulletin has been updated, on June 21, 2019, as an additional IBM i PTF is available for IBM i 7.4.

Vulnerability Details

CVEID: CVE-2018-5745
DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by an error in the managed-keys feature. By replacing a trust anchor''s keys with keys which use an unsupported algorithm, a remote authenticated attacker could exploit this vulnerability to cause an assertion failure.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157386 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-6465
DESCRIPTION: ISC BIND could allow a remote attacker to obtain sensitive information, caused by the failure to properly apply controls for zone transfers to Dynamically Loadable Zones (DLZs) if the zones are writable. An attacker could exploit this vulnerability to request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157377 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-5744
DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by a failure to free memory when processing messages with a specific combination of EDNS options. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to exhaust all available memory resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157371 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Releases 7.1, 7.2, 7.3, and 7.4 of IBM i are affected.

Remediation/Fixes

The issue can be fixed by applying a PTF to IBM i.
Releases 7.1, 7.2, 7.3, and 7.4 of IBM i are supported and will be fixed.

https://www-945.ibm.com/support/fixcentral/

The IBM i PTF numbers are:

Release 7.1 – SI69120
Release 7.2 – SI69118
Release 7.3 – SI69119
Release 7.4 – SI69622

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

22 April 2019: Original Version Published
21 June 2019: Updated to include IBM i 7.4 release information

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Cross reference information
Product Component Platform Version Edition
IBM i 7.1 IBM i 7.1
IBM i 7.2 IBM i 7.2
IBM i 7.3 IBM i 7.3
IBM i 7.4 IBM i 7.4

Document information

More support for: IBM i

Software version: 7.1,7.2,7.3,7.4

Operating system(s): IBM i

Reference #: 0876698

Modified date: 21 June 2019