Multiple vulnerabilities in bzip2

Advisory ID	CVE Number	Date discovered	Severity	Advisory revision
STORM-2019-010	CVE-2016-3189 , CVE-2019-12900	08/08/2019	medium	v3

Vulnerability details

An attacker forcing the extraction of a crafted archive can lead to a denial-of-service or remote code execution.

For SVC: the vulnerable version of bzip2 is embedded in the delivered ova, but not directly used by any functionalities.

Products	Severity	Detail
Stormshield Network Security	medium	An attacker that can force the extraction a crafted archive can lead to a denial-of-service or remote code execution.

SNS: An attacker that can force the extraction a crafted archive can lead to a denial-of-service or remote code execution.

SMC: bzip2 is installed on the operating system but the vulnerability is not triggerable with SMC

SVC: bzip2 is installed on the operating system but the vulnerability is not triggerable with SVC

There is no workaround solution.

SNS: The 2.7.5, 2.15.0, 3.7.8 and 3.9.2 updates will fix this vulnerability.

SMC: The 2.6.0 update will upgrade his version of bzip2.

SVC: The 1.5 update will upgrade his version of bzip2.

Access vector	Access complexity	Authentication	Confidentiality impact	Integrity impact	Availability impact
Adjacent Network	Medium	Single	Complete	Complete	Complete

CVSS Base score: 7.4	CVSS Vector: (AV:A/AC:M/Au:S/C:C/I:C/A:C)

Exploitability	Remediation Level	Report Confidence
Proof of concept code	Official fix	Confirmed

CVSS Temporal score: 5.8	CVSS Vector: (AV:A/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

Collateral Damage Potential	Target Distribution
None	High [76-100%]

CVSS Environmental score: 5.8	CVSS Vector: (AV:A/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C/CDP:N/TD:H/CR:ND/IR:ND/AR:ND)