IBM SmartCloud Entry is vulnerable to Python vulnerabilities. Attackers could exploit these vulnerabilities to strip out the STARTTLS command without generating an exception on the python SMTP client application and prevent the establishment of the TLS layer, inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking, or redirect outbound HTTP traffic to arbitrary proxy server. This is also known as the “HTTPOXY” vulnerability.
CVE(s): CVE-2016-0772, CVE-2016-5699, CVE-2016-1000110
Affected product(s) and affected version(s):
IBM SmartCloud Entry 2.2.0 through 2.2.0.4 Appliance fix pack 7
IBM SmartCloud Entry 2.3.0 through 2.3.0.4 Appliance fix pack 7
IBM SmartCloud Entry 2.4.0 through 2.4.0.4 Appliance fix pack 7
IBM SmartCloud Entry 3.1.0 through 3.1.0.4 Appliance fix pack 22
IBM SmartCloud Entry 3.2.0 through 3.2.0.4 Appliance fix pack 22
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2i3wCJN
X-Force Database: http://ift.tt/2dv9ofZ
X-Force Database: http://ift.tt/2dNq4KV
X-Force Database: http://ift.tt/2dv8GPN
from IBM Product Security Incident Response Team http://ift.tt/2i3m9hK
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.