Security Bulletin: Vulnerability with the open source Perl Compatible Regular Expression (PCRE) library used in IBM Aspera Shares 1.9.2 and earlier

Summary

There are multiple vulnerabilities with earlier versions of PCRE which was used by the IBM Aspera Shares Application.

Vulnerability Details

CVEID: CVE-2015-8380
DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of a pattern with a \01 string by the pcre_exec function. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVEID: CVE-2015-8381
DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of patterns with certain group references by the compile_regex function. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVEID: CVE-2015-8382
DESCRIPTION: PCRE could allow a remote attacker to obtain sensitive information, caused by the mishandling of the pattern and related patterns involving (*ACCEPT) by the match function. An attacker could exploit this vulnerability using a specially crafted regular expression to obtain sensitive information or cause a denial of service.

CVEID: CVE-2015-8383
DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of certain repeated conditional groups. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVEID: CVE-2015-8384
DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of pattern and related patterns with certain recursive back references. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVEID: CVE-2015-8385
DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of pattern and related patterns with certain forward references. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVEID: CVE-2015-8386
DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of the interaction of lookbehind assertions and mutually recursive subpatterns. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVEID: CVE-2015-8387
DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow when subroutine calls are mishandled. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.

CVEID: CVE-2015-8388
DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling ofpattern and related patterns with an unmatched closing parenthesis. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVEID: CVE-2015-8389
DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of patterns. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.

CVEID: CVE-2015-8390
DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of substrings in character classes. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.

CVEID: CVE-2015-8391
DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of certain nesting by the pcre_compile function. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.

CVEID: CVE-2015-8392
DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of certain instances of the (?| substring. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVEID: CVE-2015-8393
DESCRIPTION: PCRE could allow a remote attacker to obtain sensitive information, caused by the mishandling of the -q option for binary files by pcregrep. An attacker could exploit this vulnerability using a specially crafted file to obtain sensitive information.

CVEID: CVE-2015-8394
DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of digits. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.

CVEID: CVE-2015-8395
DESCRIPTION: PCRE could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of certain references. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.

CVEID: CVE-2015-3210
DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow. By sending a specially-crafted regular expression, an attacker could overflow a buffer and execute arbitrary code on the system.

CVEID: CVE-2015-2327
DESCRIPTION: PCRE is vulnerable to a denial of service, caused by the improper handling of patterns with certain recursion. A remote attacker could exploit this vulnerability using a specially crafted regular expression to cause a segmentation fault.

CVEID: CVE-2015-2328
DESCRIPTION: PCRE is vulnerable to a denial of service, caused by the improper handling of patterns with certain internal recursive back references. A remote attacker could exploit this vulnerability using a specially crafted regular expression to cause a segmentation fault.

CVEID: CVE-2016-1283
DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of patterns by the pcre_compile2() function. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVEID: CVE-2014-9769
DESCRIPTION: PCRE is vulnerable to a denial of service, caused by the failure to properly use table jumps to optimize nested alternatives by pcre_jit_compile.c. A remote attacker could exploit this vulnerability using a specially crafted string to corrupt the stack and cause a segmentation fault.

CVEID: CVE-2016-3191
DESCRIPTION: PCRE and PCRE2 are vulnerable to a stack-based buffer overflow, caused by the improper handling of the (*ACCEPT) substring by the compile_branch function in pcre_compile.c. By using a specially-crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

Affected Products and Versions

IBM Aspera Shares Application 1.9.2 or earlier

Remediation/Fixes

Upgrade to IBM Aspera Shares Application 1.9.4 or later for Linux, and 1.9.6 or later for Windows from the Aspera downloads site.

For unsupported versions of IBM Aspera Shares Application, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None
References

Complete CVSS v3 Guide

On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

30-September 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk