ESB-2018.0383 - [Appliance] IBM Netezza Platform Software: Multiple vulnerabilities 2018-02-08

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0383
        Security Bulletin: Multiple vulnerabilities in GNU Binutils
               affect IBM Netezza Platform Software clients.
                              8 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Netezza Platform Software
Publisher:         IBM
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-14333 CVE-2017-14130 CVE-2017-14129
                   CVE-2017-13710 CVE-2017-12967 CVE-2017-12799
                   CVE-2017-12459 CVE-2017-12458 CVE-2017-12457
                   CVE-2017-12456 CVE-2017-12455 CVE-2017-12454
                   CVE-2017-12453 CVE-2017-12452 CVE-2017-12451
                   CVE-2017-12450 CVE-2017-12449 CVE-2017-12448
                   CVE-2017-9954 CVE-2017-9754 CVE-2017-9753
                   CVE-2017-9752 CVE-2017-9750 CVE-2017-9749
                   CVE-2017-9748 CVE-2017-9747 CVE-2017-9745
                   CVE-2017-9744 CVE-2017-9743 CVE-2017-9742
                   CVE-2017-9042 CVE-2017-9040 CVE-2017-9039
                   CVE-2017-8421 CVE-2017-8398 CVE-2017-7299
                   CVE-2017-7227 CVE-2017-7226 CVE-2017-7225
                   CVE-2017-7224 CVE-2017-7223 CVE-2017-7210
                   CVE-2017-6966 CVE-2014-9939 

Reference:         ESB-2017.1838

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22012609

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza
Platform Software clients.


Document information

More support for: PureData System for Analytics

Software version: 1.0.0

Operating system(s): Platform Independent

Software edition: All Editions

Reference #: 2012609

Modified date: 07 February 2018


Summary

GNU Binutils is used by IBM Netezza Platform Software. IBM Netezza Platform
Software has addressed the applicable CVEs.


Vulnerability Details

CVEID: CVE-2017-14129

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    heap-based buffer over-read in the read_section function in dwarf2.c in the
    Binary File Descriptor (BFD) library (aka libbfd). By using a
    specially-crafted ELF file, a remote attacker could exploit this
    vulnerability to cause the application to crash.

    CVSS Base Score: 3.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/131422 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-14130

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    heap-based buffer over-read in the _bfd_elf_parse_attributes function in
    elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd). By
    using a specially-crafted ELF file, a remote attacker could exploit this
    vulnerability to cause the application to crash.

    CVSS Base Score: 3.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/131423 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-13710

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    NULL pointer dereference in setup_group function in elf.c in the Binary File
    Descriptor (BFD) library. By using a small group section, a remote attacker
    could exploit this vulnerability to cause the application to crash.

    CVSS Base Score: 3.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/131063 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-14333

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
    integer overflow process_version_sections function in readelf.c. By using a
    specially-crafted binary file, a local attacker could exploit this
    vulnerability to cause the system to hang.

    CVSS Base Score: 3.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/131933 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-12448

    DESCRIPTION: GNU Binutils could allow a remote attacker to execute arbitrary
    code on the system, caused by a heap use after free in bfd_cache_close
    function in bfd/cache.c in the Binary File Descriptor (BFD) library. By
    using a specially-crafted nested archive file, an attacker could exploit
    this vulnerability to possibly execute arbitrary code.

    CVSS Base Score: 7.8

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130146 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


CVEID: CVE-2017-12449

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
    out of bounds heap read in _bfd_vms_save_sized_string function in vms-misc.c
    in the Binary File Descriptor (BFD) library. By using a specially-crafted
    vms file, a remote attacker could exploit this vulnerability to cause the
    application to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130137 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-12450

    DESCRIPTION: GNU Binutils could allow a remote attacker to execute arbitrary
    code on the system, caused by an out of bounds heap write in
    alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File Descriptor
    (BFD) library. By using a specially-crafted mach-o file, an attacker could
    exploit this vulnerability to possibly execute arbitrary code.

    CVSS Base Score: 7.8

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130136 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


CVEID: CVE-2017-12451

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
    out of bounds stack read in _bfd_xcoff_read_ar_hdr function in
    bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor
    (BFD) library. By using a specially-crafted COFF image file, a remote
    attacker could exploit this vulnerability to cause the application to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130145 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-12452

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
    out of bounds heap read in bfd_mach_o_i386_canonicalize_one_reloc function
    in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library. By using a
    specially-crafted mach-o file, a remote attacker could exploit this
    vulnerability to cause the application to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130140 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-12453

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
    out of bounds heap read in _bfd_vms_slurp_eeom function in libbfd.c in the
    Binary File Descriptor (BFD) library. By using a specially-crafted vms alpha
    file, a remote attacker could exploit this vulnerability to cause the
    application to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130141 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-12454

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
    arbitrary memory read in _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in
    the Binary File Descriptor (BFD) library. By using a specially-crafted
    binary file, a remote attacker could exploit this vulnerability to cause the
    application to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130144 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-12455

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
    out of bounds heap read in evax_bfd_print_emh function in vms-alpha.c in the
    Binary File Descriptor (BFD) library. By using a specially-crafted vms alpha
    file, a remote attacker could exploit this vulnerability to cause the
    application to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130138 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-12456

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
    out of bounds heap read in read_symbol_stabs_debugging_info function in
    rddbg.c. By using a specially-crafted binary file, a remote attacker could
    exploit this vulnerability to cause the application to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130142 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-12457

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    NULL dereference in bfd_make_section_with_flags function in section.c in the
    Binary File Descriptor (BFD) library. By using a specially-crafted file, a
    remote attacker could exploit this vulnerability to cause the application to
    crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130143 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-12458

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
    out of bounds heap read in nlm_swap_auxiliary_headers_in function in
    bfd/nlmcode.h in the Binary File Descriptor (BFD) library. By using a
    specially-crafted nlm file, a remote attacker could exploit this
    vulnerability to cause the application to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130139 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-12459

    DESCRIPTION: GNU Binutils could allow a remote attacker to execute arbitrary
    code on the system, caused by an out of bounds heap write
    bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary File
    Descriptor (BFD) library. By using a specially-crafted mach-o file, an
    attacker could exploit this vulnerability to possibly execute arbitrary
    code.

    CVSS Base Score: 7.8

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130135 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


CVEID: CVE-2017-12799

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    buffer overflow in elf_read_notesfunction in bfd/elf.c. By using a
    specially-crafted binary file, a remote attacker could exploit this
    vulnerability to cause the application to crash.

    CVSS Base Score: 3.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130303 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-12967

    DESCRIPTION: GNU Binutils libbfd is vulnerable to a denial of service,
    caused by stack-based buffer over-read in the getsym function in tekhex.c in
    the Binary File Descriptor (BFD) library (aka libbfd). By using a specially
    crafted malformed tekhex binary, a remote attacker could exploit this
    vulnerability to cause the application to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/130728 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9954

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
    improper bounds checking by the getvalue function in tekhex.c in the Binary
    File Descriptor (BFD) library. By persuading a victim to open a
    specially-rafted tekhex file, a remote attacker could overflow a buffer and
    cause the program to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127718 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9754

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
    improper bounds checking by the process_otr function in bfd/versados.c in
    the Binary File Descriptor (BFD) library. By persuading a victim to open a
    specially-crafted binary file, a remote attacker could overflow a buffer and
    cause the program to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127553 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9753

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
    improper bounds checking by the versados_mkobject function in bfd/versados.c
    in the Binary File Descriptor (BFD) library. By persuading a victim to open
    a specially-crafted binary file, a remote attacker could overflow a buffer
    and cause the program to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127552 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9752

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
    improper bounds checking by bfd/vms-alpha.c in the Binary File Descriptor
    (BFD) library. By persuading a victim to open a specially-crafted binary
    file, a remote attacker could overflow a buffer and cause the program to
    crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127551 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9750

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
    improper bounds checking by the opcodes/rx-decode.opc. By persuading a
    victim to open a specially-crafted binary file, a remote attacker could
    overflow a buffer and cause the program to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127549 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9749

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
    improper bounds checking by the regs macros in opcodes/bfin-dis.c. By
    persuading a victim to open a specially-crafted binary file, a remote
    attacker could overflow a buffer and cause the program to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127548 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9745

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
    improper bounds checking by the _bfd_vms_slurp_etir function in
    bfd/vms-alpha.c in the Binary File Descriptor (BFD) library. By persuading a
    victim to open a specially-crafted binary file, a remote attacker could
    overflow a buffer and cause the program to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127544 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9744

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
    improper bounds checking by the sh_elf_set_mach_from_flags function in
    bfd/elf32-sh.c in the Binary File Descriptor (BFD) library. By persuading a
    victim to open a specially-crafted binary file, a remote attacker could
    overflow a buffer and cause the program to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127541 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9743

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
    improper bounds checking by the print_insn_score32 function in
    opcodes/score7-dis.c. By persuading a victim to open a specially-crafted
    binary file, a remote attacker could overflow a buffer and cause the program
    to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127540 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9742

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
    improper bounds checking by the score_opcodes function in
    opcodes/score7-dis.c. By persuading a victim to open a specially-crafted
    binary file, a remote attacker could overflow a buffer and cause the program
    to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127539 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9748

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by
    improper bounds checking by the ieee_object_p function in bfd/ieee.c in the
    Binary File Descriptor (BFD) library. By persuading a victim to open a
    specially-crafted binary file, a remote attacker could overflow a buffer and
    cause the program to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127547 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9747

    DESCRIPTION: GNU Binutils is vulnerable to denial of service, caused by
    improper bounds checking by the ieee_archive_p function in bfd/ieee.c in the
    Binary File Descriptor (BFD) library. By persuading a victim to open a
    specially-crafted binary file, a remote attacker could overflow a buffer and
    cause the program to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127546 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2014-9939

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    stack-based buffer overflow in ihex.c. By using a specially-crafted ihex
    file, a remote attacker could exploit this vulnerability to cause the
    application to crash.

    CVSS Base Score: 7.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127317 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-7299

    DESCRIPTION: Libbfd library for GNU Binutils is vulnerable to a denial of
    service, caused by an invalid read flaw in the bfd_elf_final_link function
    in bfd/elflink.c. By using a specially-crafted input file, a remote attacker
    could exploit this vulnerability to cause GNU linker (ld) program to crash.

    CVSS Base Score: 7.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/124112 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-7227

    DESCRIPTION: GNU Binutils is vulnerable to multiple heap-based buffer
    overflows, caused by improper bounds checking by GNU linker (ld). By using a
    specially-crafted input script, an attacker could overflow a buffer and
    cause the program to crash.

    CVSS Base Score: 6.2

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/123655 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-7224

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    flaw in the find_nearest_line function in objdump. By using a
    specially-crafted binary, an attacker could exploit this vulnerability to
    cause the program to crash.

    CVSS Base Score: 6.2

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/123652 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-7223

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    global buffer overflow in the GNU assembler. By using EOF characters, an
    attacker could exploit this vulnerability to cause the program to crash.

    CVSS Base Score: 6.2

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/123651 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-7210

    DESCRIPTION: GNU Binutilsis vulnerable to multiple heap-based buffer
    overflows, caused by improper bounds checking by objdump. By using a
    specially-crafted object file, an attacker could overflow a buffer and cause
    the program to crash.

    CVSS Base Score: 5.9

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/123537 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)


CVEID: CVE-2017-6966

    DESCRIPTION: GNU Binutils is vulnerable to a buffer overflow, caused by a
    user-after-free flaw in the MSP430 binary. By persuading a victim to open a
    specially-crafted file, a remote attacker could overflow a buffer and
    execute arbitrary code on the system.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/123388 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)


CVEID: CVE-2017-7226

    DESCRIPTION: GNU Binutils is vulnerable to multiple heap-based buffer
    overflows, caused by improper bounds checking by pe_ILF_object_p function in
    the Binary File Descriptor (BFD) library. By using a specially-crafted file,
    an attacker could overflow a buffer and cause the program to crash and
    potentially obtain sensitive information.

    CVSS Base Score: 6.8

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/123654 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)


CVEID: CVE-2017-7225

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    NULL pointer dereference in the find_nearest_line function in addr2line. By
    using a specially-crafted binary, an attacker could exploit this
    vulnerability to cause the program to crash.

    CVSS Base Score: 6.2

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/123653 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-9042

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    flaw in the readelf.c. By using a specially-crafted ELF file, a remote
    attacker could exploit this vulnerability to cause the application to crash.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/126190 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-9040

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    NULL pointer dereference in the process_mips_specific function in readelf.c.
    By using a specially-crafted ELF file, a remote attacker could exploit this
    vulnerability to cause the application to crash.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/126192 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-9039

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    memory consumption in the get_program_headers function in readelf.c. By
    using a specially-crafted ELF file, a remote attacker could exploit this
    vulnerability to cause the application to crash.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/126193 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-8421

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a
    memory leak in the coff_set_alignment_hook function in coffcode.h. By
    persuading a victim to open a specially-crafted PE file, a remote attacker
    could exploit this vulnerability to cause memory exhaustion in objdump.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/125745 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-8398

    DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an
    invalid read of size 1 error in dwarf.c. By persuading a victim to open a
    specially-crafted file, a remote attacker could exploit this vulnerability
    to cause the application to crash.

    CVSS Base Score: 5.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/125533 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)



Affected Products and Versions

IBM Netezza Platform Software 4.6.8-4.6.12.P5

    IBM Netezza Platform Software 5.0.10-5.2.2.P5
    IBM Netezza Platform Software 6.0.3-6.1.P2
    IBM Netezza Platform Software 7.0-7.2.1.5-P1


Remediation/Fixes

+------------------------------+-----------+-----------------------------------+
|Product                       |VRMF       |Remediation/First Fix              |
+------------------------------+-----------+-----------------------------------+
|IBM Netezza Platform Software |7.2.1.5-P2 |7.2.1.5-P2-IM-Netezza-NPS-fp119959 |
+------------------------------+-----------+-----------------------------------+


Workarounds and Mitigations

None


Change History

7 Feb 2018 : Original version published


*The CVSS Environment Score is customer environment specific and will ultimately
impact the Overall CVSS Score. Customers can evaluate the impact of this
vulnerability in their environments by accessing the links in the Reference
section of this Security Bulletin.


Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWnuygox+lLeg9Ub1AQgqCA//W+k5spkSA/zTvcJ8tChJ6NhUeWtmmUsO
p6OS3GpRCP0ttuSEMy9ARtl89C7LWEeezdMzJX+eUgIkz8AKM4xpzR35FOgUVMMQ
OWEAZy4pSIuje9eSUGUaAjlD1L8l3TTKmD605YDgIUXD34cSyhlbLKniHyXc5IAZ
eb7gjcHE4TdFcTJTv3XyI3XdV//oY+lRG/2fjFzsBBGTO6hUeeA7kTHEQZgjf6tc
BLXyIgB6bayVNy4u5vzEPKDR4vS9stWjBFPLGPo7UcuGtccZCgH8le9ERipQL2Pr
P9jCMmr2mcet5XyOhlPnvOVI83FCbJQJs7GGE0NuXceQnyhSb6p6Vmmo5zOuvv/X
80RVVYb6w83CIduSIdA+A3kqb0AhrKjReIYLEbGx6D5ACjy669Ll5rE0isR9a7T6
WE9cBAUazfACNhGjc/JLXDJW7Nq8ftcxadlXYGgTadnIGfcrpxJoABeU5webs8yF
9s8x2JeeqE2Iy0TULsrtUU0SeotxmihoPrLhld20O2IJ2oJVgsPUM5HS/PkC6HIl
0NSOdf4kjz4UEj3qWTWpZOV5AgLDUzhsA7jKNHYrzPqAesOHTY6KcrHSsbFiNKIa
8ZcpiqTmGJaxrPtP2TYJpAfOzWsqHiCjwjAt5RZiY00A2z3y5ltT1Ms5ZC07V4uy
4JNwXqyboQM=
=4tHf
-----END PGP SIGNATURE-----

« Back to bulletins