Security Bulletin
Summary
Samba, BIND and Libreswan are used by IBM Netezza Host Management. IBM Netezza Host Management has addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2016-2119
DESCRIPTION: Samba could allow a remote attacker to conduct spoofing attacks. A man-in-the-middle attacker could exploit this vulnerability to inject the SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL flags to downgrade the client's configuration-required signing protections for SMB2 or SMB3 client connections and spoof the server.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114797 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2016-2848
DESCRIPTION: ISC BIND is vulnerable to a denial of service. By sending a specially crafted DNS packet with malformed options, a remote attacker could exploit this vulnerability to trigger an assertion failure.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118228 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-3071
DESCRIPTION: Libreswan is vulnerable to a denial of service, caused by an error in IKEv2 aes_xcbc transform. By sending a specially-crafted IKE packet, a remote attacker could exploit this vulnerability to cause the IKE daemon to crash and restart.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112389 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
Affected Version | CVE |
IBM Netezza Host Management 5.4.6.0 (and prior releases) | CVE-2016-3071 CVE-2016-2119 CVE-2016-2428 |
Remediation/Fixes
To resolve the reported CVEs for Red Hat Enterprise Linux (RHEL), and for the most-up-to-date software for the Netezza host operating system, update to the latest IBM Netezza Host Management release:
Product | VRMF | Remediation/First Fix |
IBM Netezza Host Management | 5.4.7.0 | Link to Fix Central |
The Netezza Host Management software contains the latest RHEL updates for the operating systems certified for use on IBM Netezza/PureData System for Analytics appliances. IBM recommends upgrading to the latest Netezza Host Management version to ensure that your hosts have the latest fixes, security changes, and operating system updates. IBM Support can assist you with planning for the Netezza Host Management and operating system upgrades to your appliances.
For more details on IBM Netezza Host Management security patching:
Get Notified about Future Security Bulletins
References
Change History
23 November, 2016: Original version published
30 November, 2016: Updated CVE Links and format and links to CVSS v3 Guide and calculator
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
Security bulletin 1985978 incorrectly listed CVE-2016-3071 but was not included in Host Management 5.4.6.0 in error.
This bulletin correctly lists CVE-2016-3071 and this Host Management release 5.4.7.0 does include the Libreswan fix. A Suggested Update has been made to SB 1985978.
Was this topic helpful?
Document Information
Modified date:
17 October 2019
UID
swg21994231