Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0010 Security Bulletin: A Security Vulnerability affects Cloud Foundry for IBM Cloud Private (CVE-2019-16935) 2 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Cloud Private Publisher: IBM Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Modify Arbitrary Files -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-1010266 CVE-2019-17495 CVE-2019-16935 CVE-2019-16276 CVE-2019-11251 CVE-2019-11245 CVE-2019-10744 Reference: ESB-2019.4290 ESB-2019.4242 ESB-2019.4031 ESB-2019.4022 ESB-2019.3786 Original Bulletin: https://www.ibm.com/support/pages/node/1165804 https://www.ibm.com/support/pages/node/1165828 https://www.ibm.com/support/pages/node/1164496 https://www.ibm.com/support/pages/node/1164388 https://www.ibm.com/support/pages/node/1164520 https://www.ibm.com/support/pages/node/1165882 https://www.ibm.com/support/pages/node/1164448 Comment: This bulletin contains seven (7) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- A Security Vulnerability affects Cloud Foundry for IBM Cloud Private (CVE-2019-16935) Security Bulletin Summary A Security Vulnerability affects Cloud Foundry for IBM Cloud Private Vulnerability Details CVEID: CVE-2019-16935 DESCRIPTION: The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 168612 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM Cloud Private |3.2.0 CD | +--------------------+----------+ |IBM Cloud Private |3.2.1 CD | +--------------------+----------+ Remediation/Fixes Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages o Cloud Foundry for IBM Cloud Private 3.2.1 o Cloud Foundry for IBM Cloud Private 3.2.0 For Cloud Foundry for IBM Cloud Private 3.2.1, applyfix pack: o Cloud Foundry for IBM Cloud Private 3.2.1 fix pack For Cloud Foundry for IBM Cloud Private 3.2.0, applyfix pack: o Cloud Foundry for IBM Cloud Private 3.2.0 fix pack If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance Workarounds and Mitigations None Get Notified about Future Security Bulletins References ================================================================================= A Security Vulnerability affects IBM Cloud Private Kubernetes (CVE-2019-11245) Security Bulletin Summary A Security Vulnerability affects IBM Cloud Private Kubernetes Vulnerability Details CVEID: CVE-2019-11245 DESCRIPTION: In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0. CVSS Base score: 4.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 161858 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM Cloud Private |3.2.0 CD | +--------------------+----------+ Remediation/Fixes Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages o IBM Cloud Private 3.2.0 o IBM Cloud Private 3.2.1 For IBM Cloud Private 3.2.0, apply October fix pack: o IBM Cloud Private 3.2.0.1910 fix pack For IBM Cloud Private 3.2.1, apply October fix pack: o IBM Cloud Private 3.2.1.1910 fix pack For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2: o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.1. o If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance Workarounds and Mitigations None Get Notified about Future Security Bulletins References ================================================================================= A Security Vulnerability affects IBM Cloud Private - lodash (CVE-2019-1010266) Security Bulletin Summary A Security Vulnerability affects IBM Cloud Private - lodash Vulnerability Details CVEID: CVE-2019-1010266 DESCRIPTION: lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11. CVSS Base score: 4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 168402 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM Cloud Private |3.2.0 CD | +--------------------+----------+ |IBM Cloud Private |3.2.1 CD | +--------------------+----------+ Remediation/Fixes Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages o IBM Cloud Private 3.2.0 o IBM Cloud Private 3.2.1 For IBM Cloud Private 3.2.0, apply November fix pack: o IBM Cloud Private 3.2.0.1911 fix pack For IBM Cloud Private 3.2.1, apply November fix pack: o IBM Cloud Private 3.2.1.1911 fix pack For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2: o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.1. o If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance Workarounds and Mitigations None Get Notified about Future Security Bulletins References ================================================================================= A Security Vulnerability affects IBM Cloud Private - lodash (CVE-2019-10744) Security Bulletin Summary A Security Vulnerability affects IBM Cloud Private - lodash Vulnerability Details CVEID: CVE-2019-10744 DESCRIPTION: Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. CVSS Base score: 6.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167415 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM Cloud Private |3.2.1 CD | +--------------------+----------+ |IBM Cloud Private |3.2.0 CD | +--------------------+----------+ Remediation/Fixes Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages o IBM Cloud Private 3.2.0 o IBM Cloud Private 3.2.1 For IBM Cloud Private 3.2.0, apply November fix pack: o IBM Cloud Private 3.2.0.1911 fix pack For IBM Cloud Private 3.2.1, apply November fix pack: o IBM Cloud Private 3.2.1.1911 fix pack For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2: o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.1. o If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance Workarounds and Mitigations None Get Notified about Future Security Bulletins References ================================================================================= A Security Vulnerability affects IBM Cloud Private - kubectl (CVE-2019-11251) Security Bulletin Summary A Security Vulnerability affects IBM Cloud Private - kubectl Vulnerability Details CVEID: CVE-2019-11251 DESCRIPTION: Kubernetes could allow a remote attacker to gain unauthorized access to the system, caused by an error in `kubectl cp` that allows a combination of two symlinks to copy a file outside of its destination directory. An attacker could exploit this vulnerability to write arbitrary files outside of the destination tree. CVSS Base score: 5.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 168617 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM Cloud Private |3.2.1 CD | +--------------------+----------+ |IBM Cloud Private |3.2.0 CD | +--------------------+----------+ Remediation/Fixes Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages o IBM Cloud Private 3.2.0 o IBM Cloud Private 3.2.1 For IBM Cloud Private 3.2.0, apply November fix pack: o IBM Cloud Private 3.2.0.1911 fix pack For IBM Cloud Private 3.2.1, apply November fix pack: o IBM Cloud Private 3.2.1.1911 fix pack For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2: o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.1. o If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance Workarounds and Mitigations None Get Notified about Future Security Bulletins References ================================================================================= A Security Vulnerability affects IBM Cloud Private - Swagger UI (CVE-2019-17495) Security Bulletin Summary A Security Vulnerability affects IBM Cloud Private - Swagger UI Vulnerability Details CVEID: CVE-2019-17495 DESCRIPTION: A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 169050 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM Cloud Private |3.2.1 CD | +--------------------+----------+ |IBM Cloud Private |3.2.0 CD | +--------------------+----------+ Remediation/Fixes Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages o IBM Cloud Private 3.2.0 o IBM Cloud Private 3.2.1 For IBM Cloud Private 3.2.0, apply November fix pack: o IBM Cloud Private 3.2.0.1911 fix pack For IBM Cloud Private 3.2.1, apply November fix pack: o IBM Cloud Private 3.2.1.1911 fix pack For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2: o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.1. o If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance Workarounds and Mitigations None Get Notified about Future Security Bulletins References ================================================================================= A Security Vulnerability affects IBM Cloud Private - Go (CVE-2019-16276) Security Bulletin Summary A Security Vulnerability affects IBM Cloud Private - Go Vulnerability Details CVEID: CVE-2019-16276 DESCRIPTION: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167963 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM Cloud Private |3.2.0 CD | +--------------------+----------+ |IBM Cloud Private |3.2.1 CD | +--------------------+----------+ Remediation/Fixes Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages o IBM Cloud Private 3.2.0 o IBM Cloud Private 3.2.1 For IBM Cloud Private 3.2.0, apply November fix pack: o IBM Cloud Private 3.2.0.1911 For IBM Cloud Private 3.2.1, apply November fix pack: o IBM Cloud Private 3.2.1.1911 For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2: o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.1. o If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXg070GaOgq3Tt24GAQhSDxAAxTLPF41f9XQxq4uzaQI3LVlMlKGLKHjT VDyPim1DsBC4xufsd35zLq6k9pw5vmYeaex4NCuIgtUdEob/dL2Tmwexr99cyMle fK2n6xtmHKYJ+QqAKBCWUmQqRMMJHEJS7wBQscvfhozCZ7jnz0e2Th8IRhQwvfDN X7FuoQd/5Y0HEHz6QEZZpUPIt0yrKGbgkoXI7gAS/QDCoy7udnUb9UuifW0AEZol 3/Q4u0lrGftwAeNTyu/ON3GsZt40hJw5jmkSZTT3kT4i+zvrHe6BBVUyx7wxjbMo thY3xfspC4ZOzq6kYPdHsx2bAxitYBT+jT/ue+6c7e6EgsIP9EiZOy2c86f8z9Sr koc2+K7HhmQ9DjfsZXMxkfJXM0GNNdPDt57N4RSnTrCc3WBStKLcGOCnXDSYHZ5T iptseltwf7d/f60SaF1HzHT4aRI9cP7M9ISqqk0vZdC6g94qGGOndKCR7N2OUrxu fF4PO8XY/auzMnxidmg1f7cWc/pWY8AaHFAwWArtNJc/XxdG9f7YMJfrPMbx48So H1E3d8NDLwWbPw92K5PAH8a4ursehr98s1m0nhR5voR1UyVi08wT6nRDZznVUoXA MwRrnpPRRuwk2CEFQvNNPJ/JEfJRacrHhrUUPcQu+n/TJ/5sgjOlI3hBx5H0t4yc t8v9kPZqWYo= =Gboo -----END PGP SIGNATURE-----