VisiBroker 8.5 Service Pack 4 Hotfix 3 Security Fixes

VisiBroker 8.5 Service Pack 4 Hotfix 3 Security Fixes

Summary

VisiBroker 8.5 Service Pack 4 Hotfix 3 Security Fixes

Environment

VisiBroker 8.5 Service Pack 4 Hotfix 3
All supported platforms.

Question/Problem Description

The following CVEs are addressed in VisiBroker 8.5 Service Pack 4 Hotfix 3.

CVE-2017-9281: Integer Overflow (CWE-190) and Out-of-Bounds Read (CWE-125)
An integer overflow (CWE-190) potentially causing an out-of-bounds read (CWE-125) vulnerability in Micro Focus VisiBroker 8.5 can lead to a denial of service.

CVE-2017-9282: Integer Overflow (CWE-190) and Out-of-Bounds Write (CWE-787)
An integer overflow (CWE-190) led to an out-of-bounds write (CWE-787) on a heap-allocated area, leading to heap corruption in Micro Focus VisiBroker 8.5. The feasibility of leveraging this vulnerability for further attacks was not assessed.

CVE-2017-9283: Out-of-Bounds Read (CWE-125)
An out-of-bounds read (CWE-125) vulnerability exists in Micro Focus VisiBroker 8.5. The feasibility of leveraging this vulnerability for further attacks was not assessed.

Resolution

The three CVEs described above (CVE-2017-9281, CVE-2017-9282, CVE-2017-9183) have been addressed in VisiBroker 8.5 Service Pack 4 Hotfix 3, available from the Micro Focus Product Update page.

Notes

Micro Focus would like to thank Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting these issues and working with us as we addressed them.

Tags (2)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments

Question... Are these CVEs in all of Visibroker 8.5, any service pack up to (not including) 4?  My application currently uses Visibroker 8.5 SP3 and we would like to know if we have to upgrade to SP4 (HF3) to address these issues.  Thanks in advance!  -pct

Hi ptripod.

We can confirm the above vulnerabilities were also present in ealier service packs. As such, we recommend upgrading to service pack 4 hotfix 3 to address them.

 

Please note, the above CVEs can only impact applications not using transport-level security. Any applications which are using TLS will not be impacted.

 

Additionally, the vulnerabilities affect C++ applications only. Java applications are safe.

Version history
Revision #:
1 of 1
Last update:
‎2017-09-18 18:48
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.