CVE-2017-11166: High severity IBM Data Risk Manager vulnerability

Q: What is the severity of CVE-2017-11166?

CVE-2017-11166 is classified as a denial of service vulnerability due to a memory leak.

Q: How do I fix CVE-2017-11166?

To fix CVE-2017-11166, update to the latest version of ImageMagick or apply the recommended patches provided by the vendor.

Q: What versions are affected by CVE-2017-11166?

CVE-2017-11166 affects ImageMagick versions up to 7.0.5-6 and specific versions of IBM Data Risk Manager up to 2.0.6.

Q: Can CVE-2017-11166 be exploited remotely?

Yes, CVE-2017-11166 can be exploited remotely if a victim opens a specially-crafted image file.

Q: What are the possible impacts of CVE-2017-11166?

The impact of CVE-2017-11166 includes exhaustion of system memory, leading to denial of service.

Published Jul 10, 2017

Updated

ImageMagick is vulnerable to a denial of service, caused by a memory-leak issue in the ReadXWDImage function in coders\xwd.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to consume all available memory from the system.

Other sources

The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file.

— MITRE

Affected Software

4 affected componentsFixes available

redhat/ImageMagick 7.0.5<6

redhat/ImageMagick 6.9.8<1

IBM Data Risk Manager<=2.0.6

ImageMagick=7.0.5-6

Remediation

Patch Available

https://github.com/ImageMagick/ImageMagick/issues/471

Event History

Jul 10, 2017

CVE Published

via MITRE·06:00 PM

Data Sourced

via MITRE·06:00 PM

Description

Parent advisories

This vulnerability appears in the following advisories.

IBM-6335281

Frequently Asked Questions

What is the severity of CVE-2017-11166?

CVE-2017-11166 is classified as a denial of service vulnerability due to a memory leak.

How do I fix CVE-2017-11166?