(IBM Issues Fix for IBM Security AppScan Source) cURL/libcurl TLS Connection Reuse Bug Lets Remote Users Bypass Security Restrictions on the Target System
|
|
SecurityTracker Alert ID: 1037740 |
|
SecurityTracker URL: http://securitytracker.com/id/1037740
|
|
CVE Reference:
CVE-2016-5420
(Links to External Site)
|
Date: Jan 31 2017
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): Source 9.0.1, 9.0.2, 9.0.3, 9.0.3.1, 9.0.3.2, 9.0.3.3, 9.0.3.4, 9.0.3.5
|
Description:
A vulnerability was reported in cURL/libcurl. A remote user can bypass security controls on the target system. IBM Security AppScan Source is affected.
The library may reuse a TLS connection with the incorrect client certificate. As a result, an application may send requests to the wrong target realm using the incorrect authentication method.
The command line tool is also affected.
|
Impact:
A remote user may be able to access data sent via a re-used TLS connection with the wrong or missing client certificate.
|
Solution:
IBM has issued a fix for IBM Security AppScan Source (PSIRT9-iFix).
The IBM advisory is available at:
http://www-01.ibm.com/support/docview.wss?uid=swg21997845
|
Vendor URL: www-01.ibm.com/support/docview.wss?uid=swg21997845 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Linux (Any), UNIX (macOS/OS X), Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
