VisiBroker 8.5 Service Pack 4 Hotfix 3 Security Fixes

0 Likes

Summary

VisiBroker 8.5 Service Pack 4 Hotfix 3 Security Fixes

Environment

VisiBroker 8.5 Service Pack 4 Hotfix 3
All supported platforms.

Question/Problem Description

The following CVEs are addressed in VisiBroker 8.5 Service Pack 4 Hotfix 3.

CVE-2017-9281: Integer Overflow (CWE-190) and Out-of-Bounds Read (CWE-125)
An integer overflow (CWE-190) potentially causing an out-of-bounds read (CWE-125) vulnerability in Micro Focus VisiBroker 8.5 can lead to a denial of service.

CVE-2017-9282: Integer Overflow (CWE-190) and Out-of-Bounds Write (CWE-787)
An integer overflow (CWE-190) led to an out-of-bounds write (CWE-787) on a heap-allocated area, leading to heap corruption in Micro Focus VisiBroker 8.5. The feasibility of leveraging this vulnerability for further attacks was not assessed.

CVE-2017-9283: Out-of-Bounds Read (CWE-125)
An out-of-bounds read (CWE-125) vulnerability exists in Micro Focus VisiBroker 8.5. The feasibility of leveraging this vulnerability for further attacks was not assessed.

Resolution

The three CVEs described above (CVE-2017-9281, CVE-2017-9282, CVE-2017-9183) have been addressed in VisiBroker 8.5 Service Pack 4 Hotfix 3, available from the Micro Focus Product Update page.

Notes

Micro Focus would like to thank Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting these issues and working with us as we addressed them.

Tags:

Comment List
Anonymous
  • Hi ptripod.

    We can confirm the above vulnerabilities were also present in ealier service packs. As such, we recommend upgrading to service pack 4 hotfix 3 to address them.

     

    Please note, the above CVEs can only impact applications not using transport-level security. Any applications which are using TLS will not be impacted.

     

    Additionally, the vulnerabilities affect C++ applications only. Java applications are safe.

  • Question... Are these CVEs in all of Visibroker 8.5, any service pack up to (not including) 4?  My application currently uses Visibroker 8.5 SP3 and we would like to know if we have to upgrade to SP4 (HF3) to address these issues.  Thanks in advance!  -pct

Related Discussions
Recommended