[Info-vax] CVE-2017-17482

geraldmarsh100 at gmail.com geraldmarsh100 at gmail.com
Fri Feb 2 04:16:43 EST 2018 

On Friday, 26 January 2018 22:19:36 UTC, Derrell Piper  wrote:
> From: Eddie Orcutt <eddie.orcutt at vmssoftware.com>
> Date: Friday, January 26, 2018 at 4:27 PM
> To: Eddie Orcutt <eddie.orcutt at vmssoftware.com>
> Subject: OpenVMS Security Notice
> 
> Dear VSI OpenVMS Customer;
> 
> A potential security vulnerability has been found in which a malformed
> DCL command table may result in a buffer overflow allowing a local
> privilege escalation in non-privileged accounts. This bug is exploitable
> on VAX and Alpha and may cause a process crash on IA64. All versions of
> VMS and OpenVMS after and including VAX/VMS 4.0 are affected.
> 
> A patch kit (DCL100) is available for all VSI versions of OpenVMS.
> 
> For Alpha customers running VSI OpenVMS V8.4-2L1 or VSI OpenVMS V8.4-2L2
> for Alpha, contact VSI support to obtain the appropriate patch version.
> 
> For IA64 customers running VSI OpenVMS V8.4-1H1, VSI OpenVMS V8.4-2, or
> VSI OpenVMS V8.4-2L1, if you have a support contract with HPE for your
> version, contact HPE customer support to obtain the patch; otherwise,
> contact VSI support.
> 
> Customers running HPE OpenVMS versions prior to and including V8.4 must
> contact HPE customer support.
> 
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> ID CVE-2017-17482 to this issue. This is an entry on the CVE List
> (http://cve.mitre.org/cve/index.html), which standardizes names for
> security problems.
> 
> Please note that future CVE notifications will be sent from the
> security at vmssoftware.com account.
> 
> If you have any questions, please email VSI at security at vmssoftware.com.
> If you are reporting a security vulnerability, please use the secure VSI
> web page, when available.
> 
> Thank you,
> 
> Eddie Orcutt
> VP Software Engineering
> (978) 451-0118 (o)
> (601) 946-8420 (c)
> www.vmssoftware.com
> 
> This E-mail is covered by the Electronic Communications Privacy Act, 18
> U.S.C. §§ 2510-2521 and is legally privileged. This information is
> confidential information and is intended only for the use of the
> individual or entity named above. If the reader of this message is not
> the intended recipient, you are hereby notified that any dissemination,
> distribution or copying of this communication is strictly prohibited.
> 
> Disclaimer: comp.os.vms is not an official support channel for VMS Software, Inc.   Statements made here represent only the opinions of the people who post them.  For official VMS support, contact either VSI Software, Inc. or HPE Customer Support through official channels.

It seems it is not exploitable on Itanium.

More information about the Info-vax mailing list