-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0010
         Security Bulletin: A Security Vulnerability affects Cloud
              Foundry for IBM Cloud Private (CVE-2019-16935)
                              2 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cloud Private
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Increased Privileges            -- Existing Account      
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
                   Denial of Service               -- Existing Account      
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1010266 CVE-2019-17495 CVE-2019-16935
                   CVE-2019-16276 CVE-2019-11251 CVE-2019-11245
                   CVE-2019-10744  

Reference:         ESB-2019.4290
                   ESB-2019.4242
                   ESB-2019.4031
                   ESB-2019.4022
                   ESB-2019.3786

Original Bulletin: 
   https://www.ibm.com/support/pages/node/1165804
   https://www.ibm.com/support/pages/node/1165828
   https://www.ibm.com/support/pages/node/1164496
   https://www.ibm.com/support/pages/node/1164388
   https://www.ibm.com/support/pages/node/1164520
   https://www.ibm.com/support/pages/node/1165882
   https://www.ibm.com/support/pages/node/1164448

Comment: This bulletin contains seven (7) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

A Security Vulnerability affects Cloud Foundry for IBM Cloud Private
(CVE-2019-16935)

Security Bulletin

Summary

A Security Vulnerability affects Cloud Foundry for IBM Cloud Private

Vulnerability Details

CVEID: CVE-2019-16935
DESCRIPTION: The documentation XML-RPC server in Python through 2.7.16, 3.x
through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This
occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in
Python 3.x. If set_server_title is called with untrusted input, arbitrary
JavaScript can be delivered to clients that visit the http URL for this server.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168612 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private   |3.2.0 CD  |
+--------------------+----------+
|IBM Cloud Private   |3.2.1 CD  |
+--------------------+----------+

Remediation/Fixes

Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages

  o Cloud Foundry for IBM Cloud Private 3.2.1
  o Cloud Foundry for IBM Cloud Private 3.2.0

For Cloud Foundry for IBM Cloud Private 3.2.1, applyfix pack:

  o Cloud Foundry for IBM Cloud Private 3.2.1 fix pack

For Cloud Foundry for IBM Cloud Private 3.2.0, applyfix pack:

  o Cloud Foundry for IBM Cloud Private 3.2.0 fix pack

If required, individual product fixes can be made available between CD update
packages for resolution of problems. Contact IBM support for assistance

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

=================================================================================


A Security Vulnerability affects IBM Cloud Private Kubernetes (CVE-2019-11245)

Security Bulletin

Summary

A Security Vulnerability affects IBM Cloud Private Kubernetes

Vulnerability Details

CVEID: CVE-2019-11245
DESCRIPTION: In kubelet v1.13.6 and v1.14.2, containers for pods that do not
specify an explicit runAsUser attempt to run as uid 0 (root) on container
restart, or if the image was previously pulled to the node. If the pod
specified mustRunAsNonRoot: true, the kubelet will refuse to start the
container as root. If the pod did not specify mustRunAsNonRoot: true, the
kubelet will run the container as uid 0.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
161858 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private   |3.2.0 CD  |
+--------------------+----------+

Remediation/Fixes

Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages

  o IBM Cloud Private 3.2.0
  o IBM Cloud Private 3.2.1

For IBM Cloud Private 3.2.0, apply October fix pack:

  o IBM Cloud Private 3.2.0.1910 fix pack

For IBM Cloud Private 3.2.1, apply October fix pack:

  o IBM Cloud Private 3.2.1.1910 fix pack

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:

  o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
    Private 3.2.1.
  o If required, individual product fixes can be made available between CD
    update packages for resolution of problems. Contact IBM support for
    assistance

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

=================================================================================


A Security Vulnerability affects IBM Cloud Private - lodash (CVE-2019-1010266)

Security Bulletin

Summary

A Security Vulnerability affects IBM Cloud Private - lodash

Vulnerability Details

CVEID: CVE-2019-1010266
DESCRIPTION: lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled
Resource Consumption. The impact is: Denial of service. The component is: Date
handler. The attack vector is: Attacker provides very long strings, which the
library attempts to match using a regular expression. The fixed version is:
4.17.11.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168402 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private   |3.2.0 CD  |
+--------------------+----------+
|IBM Cloud Private   |3.2.1 CD  |
+--------------------+----------+

Remediation/Fixes

Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages

  o IBM Cloud Private 3.2.0
  o IBM Cloud Private 3.2.1

For IBM Cloud Private 3.2.0, apply November fix pack:

  o IBM Cloud Private 3.2.0.1911 fix pack

For IBM Cloud Private 3.2.1, apply November fix pack:

  o IBM Cloud Private 3.2.1.1911 fix pack

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:

  o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
    Private 3.2.1.
  o If required, individual product fixes can be made available between CD
    update packages for resolution of problems. Contact IBM support for
    assistance

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

=================================================================================


A Security Vulnerability affects IBM Cloud Private - lodash (CVE-2019-10744)

Security Bulletin

Summary

A Security Vulnerability affects IBM Cloud Private - lodash

Vulnerability Details

CVEID: CVE-2019-10744
DESCRIPTION: Versions of lodash lower than 4.17.12 are vulnerable to Prototype
Pollution. The function defaultsDeep could be tricked into adding or modifying
properties of Object.prototype using a constructor payload.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167415 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private   |3.2.1 CD  |
+--------------------+----------+
|IBM Cloud Private   |3.2.0 CD  |
+--------------------+----------+

Remediation/Fixes

Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages

  o IBM Cloud Private 3.2.0
  o IBM Cloud Private 3.2.1

For IBM Cloud Private 3.2.0, apply November fix pack:

  o IBM Cloud Private 3.2.0.1911 fix pack

For IBM Cloud Private 3.2.1, apply November fix pack:

  o IBM Cloud Private 3.2.1.1911 fix pack

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:

  o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
    Private 3.2.1.
  o If required, individual product fixes can be made available between CD
    update packages for resolution of problems. Contact IBM support for
    assistance

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

=================================================================================


A Security Vulnerability affects IBM Cloud Private - kubectl (CVE-2019-11251)

Security Bulletin

Summary

A Security Vulnerability affects IBM Cloud Private - kubectl

Vulnerability Details

CVEID: CVE-2019-11251
DESCRIPTION: Kubernetes could allow a remote attacker to gain unauthorized
access to the system, caused by an error in `kubectl cp` that allows a
combination of two symlinks to copy a file outside of its destination
directory. An attacker could exploit this vulnerability to write arbitrary
files outside of the destination tree.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168617 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private   |3.2.1 CD  |
+--------------------+----------+
|IBM Cloud Private   |3.2.0 CD  |
+--------------------+----------+

Remediation/Fixes

Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages

  o IBM Cloud Private 3.2.0
  o IBM Cloud Private 3.2.1

For IBM Cloud Private 3.2.0, apply November fix pack:

  o IBM Cloud Private 3.2.0.1911 fix pack

For IBM Cloud Private 3.2.1, apply November fix pack:

  o IBM Cloud Private 3.2.1.1911 fix pack

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:

  o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
    Private 3.2.1.
  o If required, individual product fixes can be made available between CD
    update packages for resolution of problems. Contact IBM support for
    assistance

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

=================================================================================


A Security Vulnerability affects IBM Cloud Private - Swagger UI
(CVE-2019-17495)

Security Bulletin

Summary

A Security Vulnerability affects IBM Cloud Private - Swagger UI

Vulnerability Details

CVEID: CVE-2019-17495
DESCRIPTION: A Cascading Style Sheets (CSS) injection vulnerability in Swagger
UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO)
technique to perform CSS-based input field value exfiltration, such as
exfiltration of a CSRF token value. In other words, this product intentionally
allows the embedding of untrusted JSON data from remote servers, but it was not
previously known that <style>@import within the JSON data was a functional
attack method.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169050 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private   |3.2.1 CD  |
+--------------------+----------+
|IBM Cloud Private   |3.2.0 CD  |
+--------------------+----------+

Remediation/Fixes

Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages

  o IBM Cloud Private 3.2.0
  o IBM Cloud Private 3.2.1

For IBM Cloud Private 3.2.0, apply November fix pack:

  o IBM Cloud Private 3.2.0.1911 fix pack

For IBM Cloud Private 3.2.1, apply November fix pack:

  o IBM Cloud Private 3.2.1.1911 fix pack

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:

  o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
    Private 3.2.1.
  o If required, individual product fixes can be made available between CD
    update packages for resolution of problems. Contact IBM support for
    assistance

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

=================================================================================



A Security Vulnerability affects IBM Cloud Private - Go (CVE-2019-16276)

Security Bulletin

Summary

A Security Vulnerability affects IBM Cloud Private - Go

Vulnerability Details

CVEID: CVE-2019-16276
DESCRIPTION: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request
Smuggling.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167963 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private   |3.2.0 CD  |
+--------------------+----------+
|IBM Cloud Private   |3.2.1 CD  |
+--------------------+----------+

Remediation/Fixes

Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages

  o IBM Cloud Private 3.2.0
  o IBM Cloud Private 3.2.1

For IBM Cloud Private 3.2.0, apply November fix pack:

  o IBM Cloud Private 3.2.0.1911

For IBM Cloud Private 3.2.1, apply November fix pack:

  o IBM Cloud Private 3.2.1.1911

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:

  o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
    Private 3.2.1.
  o If required, individual product fixes can be made available between CD
    update packages for resolution of problems. Contact IBM support for
    assistance

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXg070GaOgq3Tt24GAQhSDxAAxTLPF41f9XQxq4uzaQI3LVlMlKGLKHjT
VDyPim1DsBC4xufsd35zLq6k9pw5vmYeaex4NCuIgtUdEob/dL2Tmwexr99cyMle
fK2n6xtmHKYJ+QqAKBCWUmQqRMMJHEJS7wBQscvfhozCZ7jnz0e2Th8IRhQwvfDN
X7FuoQd/5Y0HEHz6QEZZpUPIt0yrKGbgkoXI7gAS/QDCoy7udnUb9UuifW0AEZol
3/Q4u0lrGftwAeNTyu/ON3GsZt40hJw5jmkSZTT3kT4i+zvrHe6BBVUyx7wxjbMo
thY3xfspC4ZOzq6kYPdHsx2bAxitYBT+jT/ue+6c7e6EgsIP9EiZOy2c86f8z9Sr
koc2+K7HhmQ9DjfsZXMxkfJXM0GNNdPDt57N4RSnTrCc3WBStKLcGOCnXDSYHZ5T
iptseltwf7d/f60SaF1HzHT4aRI9cP7M9ISqqk0vZdC6g94qGGOndKCR7N2OUrxu
fF4PO8XY/auzMnxidmg1f7cWc/pWY8AaHFAwWArtNJc/XxdG9f7YMJfrPMbx48So
H1E3d8NDLwWbPw92K5PAH8a4ursehr98s1m0nhR5voR1UyVi08wT6nRDZznVUoXA
MwRrnpPRRuwk2CEFQvNNPJ/JEfJRacrHhrUUPcQu+n/TJ/5sgjOlI3hBx5H0t4yc
t8v9kPZqWYo=
=Gboo
-----END PGP SIGNATURE-----