OpenVMS DCL Security issue CVE-2017-17482

Eddie Orcutt of VSI has written to VSI customers, and Derrel Piper of VSI posted the letter to comp.os.vms

Dear VSI OpenVMS Customer;

A potential security vulnerability has been found in which a malformed
DCL command table may result in a buffer overflow allowing a local
privilege escalation in non-privileged accounts. This bug is exploitable
on VAX and Alpha and may cause a process crash on IA64. All versions of
VMS and OpenVMS after and including VAX/VMS 4.0 are affected.

A patch kit (DCL100) is available for all VSI versions of OpenVMS.

For Alpha customers running VSI OpenVMS V8.4-2L1 or VSI OpenVMS V8.4-2L2
for Alpha, contact VSI support to obtain the appropriate patch version.

For IA64 customers running VSI OpenVMS V8.4-1H1, VSI OpenVMS V8.4-2, or
VSI OpenVMS V8.4-2L1, if you have a support contract with HPE for your
version, contact HPE customer support to obtain the patch; otherwise,
contact VSI support.

Customers running HPE OpenVMS versions prior to and including V8.4 must
contact HPE customer support.

The Common Vulnerabilities and Exposures (CVE) project has assigned the
ID CVE-2017-17482 to this issue. This is an entry on the CVE List
(http://cve.mitre.org/cve/index.html), which standardizes names for
security problems.

Please note that future CVE notifications will be sent from the
secu...@vmssoftware.com account.

If you have any questions, please email VSI at secu...@vmssoftware.com.
If you are reporting a security vulnerability, please use the secure VSI
web page, when available.

Thank you,

Eddie Orcutt
VP Software Engineering