IBM Cloud Private: Denial of Service -- Remote/Unauthenticated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0824
        IBM Security Bulletin: A Security Vulnerability affects IBM
                          Cloud Private - Python
                               14 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cloud Private
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-14647  

Reference:         ESB-2019.0576
                   ESB-2018.2924
                   ESB-2018.3549.2

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10871660

- --------------------------BEGIN INCLUDED TEXT--------------------

A Security Vulnerability affects IBM Cloud Private - Python

Product:             IBM Cloud Private

Software version:    All Versions

Operating system(s): Linux

Reference #:         0871660

Security Bulletin

Summary

IBM Cloud Private, Cloud Foundry for IBM Cloud Private and IBM Cloud Automation
Manager are vulnerable to a security vulnerability in Python

Vulnerability Details

CVEID: CVE-2018-14647
DESCRIPTION: Python is vulnerable to a denial of service, caused by a flaw in
the elementtree C accelerator. By using a specially-crafted XML document, a
remote attacker could exploit this vulnerability to cause a resource
exhaustion.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
150579 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

  o IBM Cloud Private 2.1.x, 3.1.0, 3.1.1
  o Cloud Foundry for IBM Cloud Private 3.1.1
  o IBM Cloud Automation Manager 3.1.0

Remediation/Fixes

Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages

  o IBM Cloud Private 3.1.2
  o IBM Cloud Private 3.1.1

For IBM Cloud Private 3.1.1

  o Apply these patches:
       IBM Cloud Private 3.1.1 Patch - Auth-pdp
       IBM Cloud Private 3.1.1 Patch - Key-management

For IBM Cloud Private, 2.1.x, 3.1.0:

  o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
    Private 3.1.2.
  o If required, individual product fixes can be made available between CD
    update packages for resolution of problems. Contact IBM support for
    assistance



For Cloud Foundry for IBM Cloud Private 3.1.1:

  o Install Python buildpack v1.6.25

Use the following cli command to install the buildpack:

cf create-buildpack [BUILDPACK_NAME] [BUILDPACK_ZIP_FILE-PATH] 1


For IBM Cloud Automation Manager3.1.0:

  o Upgrade the Pattern Manager and Software Repository docker container using
    the instructions below:

You can upgrade the Pattern Manager and Software Repository docker containers
that are created using Content Runtime template 2.1, 2.2 and 2.3. Before
upgrading your Pattern Manager and Software Repository docker containers, make
sure you have no middleware content template deployments, destructions or
deletes in "Progress" state. If there are, then wait for them to complete
before starting your upgrade.

Follow the steps below to upgrade your containers.

1. Log into Content Runtime System.

2. Find the image version using docker ps. If the image name is appended with
1.0-current, then you are using 1.0-current image. If the image name is
appended with 2.0-current, then you are using 2.0-current image. (Example: If
the image name is camc-pattern-manager:1.0-current then you are using
1.0-current and if the image name is camc-pattern-manager:2.0-current then you
are using 2.0-current)

3. Execute the following command to update your container to the latest version
of Pattern Manager and Software Repository docker containers. Execution of this
command will upgrade both Pattern Manager and Software Repository docker
container.

~/advanced-content-runtime/image-upgrade.sh camc-sw-repo <image-version>

Example:

If your current image version is 1.0-current then execute

~/advanced-content-runtime/image-upgrade.sh camc-sw-repo 1.0-current

If your current image version is 2.0-current then execute

~/advanced-content-runtime/image-upgrade.sh camc-sw-repo 2.0-current

4. To verify the upgrade, after successful execution of the above command,
execute the following steps
a. Get the container ID of the containers usingdocker ps
b. Execute the following docker exec command to work on Pattern Manager
container

docker exec -it <camc-pattern-manager-container-id> /bin/bash

c. In the Pattern Manager container execute python and you should see the
following as python version

Python 2.7.15rc1

Execute cat /etc/os-release and you should see 18.04.1 LTS (Bionic Beaver) as
Ubuntu version

d. Execute the following docker exec command to work on Software Repository
container

docker exec -it <camc-software-repo-container-id> /bin/bash

e. In the Software Repository container execute python and you should see

bash: python: command not found

Execute cat /etc/os-release and you should see 18.04.1 LTS (Bionic Beaver) as
Ubuntu version

Workarounds and Mitigations

None

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

12 March 2019 - original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXInQFmaOgq3Tt24GAQgU3RAA11A2Npm6gqYPOBqalXvZWxNAa/YQJiZ9
Q36lQyVaDARWqfaER9EiG2qYhpcUBGpwhP+oTbYpJb6WbDPPyii1kviUz50btxAd
w39eXPbOcKVCCO+H8N5kSlNIjLxq266QeF9ShfdSydN0esjeGC+5c7s9guib3X7a
yWJap7r/9hnIjr+7wCFqkJIrTF1Yyv82i9IalFMdQ3eTCyQ5B7Z8s6k8JAKX8Fgb
BnUEhwiyq/CQ0d6QGIVu0UwnZqCN4a75sNu3j5hxvpd2amz68E47YGHnnNznsaNU
NT7LnIbElmjUIKb6YDR0eJl0vL9lPu/zyGNcLBFE5MyKhj4cZKV6mhRmqP2kkfMe
5n6D8U5bWvelD9gdDJo1bxnZS03YJETOi4nzewblYshEvJV7gfGIkwwwdcUKTNn4
s4nMAcLS+1HDrJrlzwl+s1XhoFJy7tVXVRBQL1qhQtYengqJIprLf+/1jflazsgQ
huxFYMRxpv+TqJxGTdIK14qsPfq1Rl3ED4Op/maNJGDdNIuMb1xfAS6RxiWWwtAC
LxaWOUE/ni6TwZdBNO6jg45xgY0R1qyvlOnIvRVU9tCgyavSv8k9U6kiCCQy+zoV
bHjrhhaAguURY7cAXZqwCXjEwu8atHxGW7mP39ap7PVm0ProyoSEyidBfPmvZCIV
DmvnsCpOoIw=
=9X7f
-----END PGP SIGNATURE-----