[Info-vax] CVE-2017-17482

Derrell Piper derrell.piper at vmssoftware.com
Fri Jan 26 17:19:33 EST 2018 

From: Eddie Orcutt <eddie.orcutt at vmssoftware.com>
Date: Friday, January 26, 2018 at 4:27 PM
To: Eddie Orcutt <eddie.orcutt at vmssoftware.com>
Subject: OpenVMS Security Notice

Dear VSI OpenVMS Customer;

A potential security vulnerability has been found in which a malformed
DCL command table may result in a buffer overflow allowing a local
privilege escalation in non-privileged accounts. This bug is exploitable
on VAX and Alpha and may cause a process crash on IA64. All versions of
VMS and OpenVMS after and including VAX/VMS 4.0 are affected.

A patch kit (DCL100) is available for all VSI versions of OpenVMS.

For Alpha customers running VSI OpenVMS V8.4-2L1 or VSI OpenVMS V8.4-2L2
for Alpha, contact VSI support to obtain the appropriate patch version.

For IA64 customers running VSI OpenVMS V8.4-1H1, VSI OpenVMS V8.4-2, or
VSI OpenVMS V8.4-2L1, if you have a support contract with HPE for your
version, contact HPE customer support to obtain the patch; otherwise,
contact VSI support.

Customers running HPE OpenVMS versions prior to and including V8.4 must
contact HPE customer support.

The Common Vulnerabilities and Exposures (CVE) project has assigned the
ID CVE-2017-17482 to this issue. This is an entry on the CVE List
(http://cve.mitre.org/cve/index.html), which standardizes names for
security problems.

Please note that future CVE notifications will be sent from the
security at vmssoftware.com account.

If you have any questions, please email VSI at security at vmssoftware.com.
If you are reporting a security vulnerability, please use the secure VSI
web page, when available.

Thank you,

Eddie Orcutt
VP Software Engineering
(978) 451-0118 (o)
(601) 946-8420 (c)
www.vmssoftware.com

This E-mail is covered by the Electronic Communications Privacy Act, 18
U.S.C. §§ 2510-2521 and is legally privileged. This information is
confidential information and is intended only for the use of the
individual or entity named above. If the reader of this message is not
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.

Disclaimer: comp.os.vms is not an official support channel for VMS Software, Inc.   Statements made here represent only the opinions of the people who post them.  For official VMS support, contact either VSI Software, Inc. or HPE Customer Support through official channels.

More information about the Info-vax mailing list