Support Content Notification - Support Portal

AION Business Rules Expert r11.0 for Linux libffi library Vulnerability

Product/Component

AION BUSINESS RULES EXPERT

Notification Id

25532

Last Updated

25 March 2025

Initial Publication Date

25 March 2025

Status

CLOSED

Severity

HIGH

CVSS Base Score

Base: 7.0 Temporal: 6.1

WorkAround

Affected CVE

CVE-2017-1000376

Broadcom Mainframe Software is alerting customers to a vulnerability in AION Business Rules Expert for Linux 11.0 release.

AION Business Rules Expert version 11.0 build 201 is affected by a vulnerability in Libffi version 3.0. These vulnerabilities have been fixed by upgrading libffi to version 3.4.7 in the latest release 202.

Product Name	AION Business Rules Expert r11.0 for Linux
Affected component(s)	libffi updated from v3.0.0 to v3.4.7
Version PE was Introduced	Build number: 201 Published Date: 04-25-2022
Severity	HIGH
CVE	CVE-2017-1000376
CVSS Score(s)	Base: 7.0 Temporal: 6.1
CVSS Vector	CVSS 3.1: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Solution	LU16343
Platform(s)	Linux

Broadcom customers may receive alerts and advisories by subscribing to Proactive Notifications.

If you missed any Mainframe Security Advisory alerts you can find all under Mainframe Security Advisories on the support portal.

To download a .CSV file that contains a consolidated list of security advisories affecting Broadcom mainframe products, click here for download instructions. You can use this file to easily search the CVE information.

Broadcom SECINT HOLDDATA is incorporated into our standard HOLDDATA file downloads. Therefore, it is not necessary to download any additional HOLDDATA files. Broadcom does recommend that you use SMP/E Receive Order to acquire HOLDDATA and maintenance.

Customers who require additional information about this notice may contact Broadcom Support at: support.broadcom.com.

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." For an explanation of the CVSS scoring system and a description of each metric, please visit https://www.first.org/cvss/v3.1/specification-document

BROADCOM PROVIDES THE CVSS BASE AND TEMPORAL SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY IN THEIR SPECIFIC ENVIRONMENT. BROADCOM DOES NOT PROVIDE A CVSS ENVIRONMENT SCORE. THE CVSS ENVIRONMENT SCORE IS CUSTOMER ENVIRONMENT SPECIFIC AND WILL IMPACT THE OVERALL CVSS SCORE. CUSTOMERS SHOULD EVALUATE THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY AND CAN CALCULATE A CVSS ENVIRONMENT SCORE.

The CVSS score and all other information describing the security matter is Broadcom confidential and may be used by you for internal purposes only and may not be disclosed to any third party without Broadcom's prior written consent.