Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0010
Security Bulletin: A Security Vulnerability affects Cloud
Foundry for IBM Cloud Private (CVE-2019-16935)
2 January 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Cloud Private
Publisher: IBM
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Modify Arbitrary Files -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Denial of Service -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-1010266 CVE-2019-17495 CVE-2019-16935
CVE-2019-16276 CVE-2019-11251 CVE-2019-11245
CVE-2019-10744
Reference: ESB-2019.4290
ESB-2019.4242
ESB-2019.4031
ESB-2019.4022
ESB-2019.3786
Original Bulletin:
https://www.ibm.com/support/pages/node/1165804
https://www.ibm.com/support/pages/node/1165828
https://www.ibm.com/support/pages/node/1164496
https://www.ibm.com/support/pages/node/1164388
https://www.ibm.com/support/pages/node/1164520
https://www.ibm.com/support/pages/node/1165882
https://www.ibm.com/support/pages/node/1164448
Comment: This bulletin contains seven (7) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
A Security Vulnerability affects Cloud Foundry for IBM Cloud Private
(CVE-2019-16935)
Security Bulletin
Summary
A Security Vulnerability affects Cloud Foundry for IBM Cloud Private
Vulnerability Details
CVEID: CVE-2019-16935
DESCRIPTION: The documentation XML-RPC server in Python through 2.7.16, 3.x
through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This
occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in
Python 3.x. If set_server_title is called with untrusted input, arbitrary
JavaScript can be delivered to clients that visit the http URL for this server.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168612 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private |3.2.0 CD |
+--------------------+----------+
|IBM Cloud Private |3.2.1 CD |
+--------------------+----------+
Remediation/Fixes
Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages
o Cloud Foundry for IBM Cloud Private 3.2.1
o Cloud Foundry for IBM Cloud Private 3.2.0
For Cloud Foundry for IBM Cloud Private 3.2.1, applyfix pack:
o Cloud Foundry for IBM Cloud Private 3.2.1 fix pack
For Cloud Foundry for IBM Cloud Private 3.2.0, applyfix pack:
o Cloud Foundry for IBM Cloud Private 3.2.0 fix pack
If required, individual product fixes can be made available between CD update
packages for resolution of problems. Contact IBM support for assistance
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
=================================================================================
A Security Vulnerability affects IBM Cloud Private Kubernetes (CVE-2019-11245)
Security Bulletin
Summary
A Security Vulnerability affects IBM Cloud Private Kubernetes
Vulnerability Details
CVEID: CVE-2019-11245
DESCRIPTION: In kubelet v1.13.6 and v1.14.2, containers for pods that do not
specify an explicit runAsUser attempt to run as uid 0 (root) on container
restart, or if the image was previously pulled to the node. If the pod
specified mustRunAsNonRoot: true, the kubelet will refuse to start the
container as root. If the pod did not specify mustRunAsNonRoot: true, the
kubelet will run the container as uid 0.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
161858 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private |3.2.0 CD |
+--------------------+----------+
Remediation/Fixes
Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages
o IBM Cloud Private 3.2.0
o IBM Cloud Private 3.2.1
For IBM Cloud Private 3.2.0, apply October fix pack:
o IBM Cloud Private 3.2.0.1910 fix pack
For IBM Cloud Private 3.2.1, apply October fix pack:
o IBM Cloud Private 3.2.1.1910 fix pack
For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:
o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
Private 3.2.1.
o If required, individual product fixes can be made available between CD
update packages for resolution of problems. Contact IBM support for
assistance
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
=================================================================================
A Security Vulnerability affects IBM Cloud Private - lodash (CVE-2019-1010266)
Security Bulletin
Summary
A Security Vulnerability affects IBM Cloud Private - lodash
Vulnerability Details
CVEID: CVE-2019-1010266
DESCRIPTION: lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled
Resource Consumption. The impact is: Denial of service. The component is: Date
handler. The attack vector is: Attacker provides very long strings, which the
library attempts to match using a regular expression. The fixed version is:
4.17.11.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168402 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private |3.2.0 CD |
+--------------------+----------+
|IBM Cloud Private |3.2.1 CD |
+--------------------+----------+
Remediation/Fixes
Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages
o IBM Cloud Private 3.2.0
o IBM Cloud Private 3.2.1
For IBM Cloud Private 3.2.0, apply November fix pack:
o IBM Cloud Private 3.2.0.1911 fix pack
For IBM Cloud Private 3.2.1, apply November fix pack:
o IBM Cloud Private 3.2.1.1911 fix pack
For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:
o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
Private 3.2.1.
o If required, individual product fixes can be made available between CD
update packages for resolution of problems. Contact IBM support for
assistance
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
=================================================================================
A Security Vulnerability affects IBM Cloud Private - lodash (CVE-2019-10744)
Security Bulletin
Summary
A Security Vulnerability affects IBM Cloud Private - lodash
Vulnerability Details
CVEID: CVE-2019-10744
DESCRIPTION: Versions of lodash lower than 4.17.12 are vulnerable to Prototype
Pollution. The function defaultsDeep could be tricked into adding or modifying
properties of Object.prototype using a constructor payload.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167415 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private |3.2.1 CD |
+--------------------+----------+
|IBM Cloud Private |3.2.0 CD |
+--------------------+----------+
Remediation/Fixes
Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages
o IBM Cloud Private 3.2.0
o IBM Cloud Private 3.2.1
For IBM Cloud Private 3.2.0, apply November fix pack:
o IBM Cloud Private 3.2.0.1911 fix pack
For IBM Cloud Private 3.2.1, apply November fix pack:
o IBM Cloud Private 3.2.1.1911 fix pack
For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:
o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
Private 3.2.1.
o If required, individual product fixes can be made available between CD
update packages for resolution of problems. Contact IBM support for
assistance
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
=================================================================================
A Security Vulnerability affects IBM Cloud Private - kubectl (CVE-2019-11251)
Security Bulletin
Summary
A Security Vulnerability affects IBM Cloud Private - kubectl
Vulnerability Details
CVEID: CVE-2019-11251
DESCRIPTION: Kubernetes could allow a remote attacker to gain unauthorized
access to the system, caused by an error in `kubectl cp` that allows a
combination of two symlinks to copy a file outside of its destination
directory. An attacker could exploit this vulnerability to write arbitrary
files outside of the destination tree.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168617 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private |3.2.1 CD |
+--------------------+----------+
|IBM Cloud Private |3.2.0 CD |
+--------------------+----------+
Remediation/Fixes
Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages
o IBM Cloud Private 3.2.0
o IBM Cloud Private 3.2.1
For IBM Cloud Private 3.2.0, apply November fix pack:
o IBM Cloud Private 3.2.0.1911 fix pack
For IBM Cloud Private 3.2.1, apply November fix pack:
o IBM Cloud Private 3.2.1.1911 fix pack
For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:
o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
Private 3.2.1.
o If required, individual product fixes can be made available between CD
update packages for resolution of problems. Contact IBM support for
assistance
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
=================================================================================
A Security Vulnerability affects IBM Cloud Private - Swagger UI
(CVE-2019-17495)
Security Bulletin
Summary
A Security Vulnerability affects IBM Cloud Private - Swagger UI
Vulnerability Details
CVEID: CVE-2019-17495
DESCRIPTION: A Cascading Style Sheets (CSS) injection vulnerability in Swagger
UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO)
technique to perform CSS-based input field value exfiltration, such as
exfiltration of a CSRF token value. In other words, this product intentionally
allows the embedding of untrusted JSON data from remote servers, but it was not
previously known that <style>@import within the JSON data was a functional
attack method.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169050 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private |3.2.1 CD |
+--------------------+----------+
|IBM Cloud Private |3.2.0 CD |
+--------------------+----------+
Remediation/Fixes
Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages
o IBM Cloud Private 3.2.0
o IBM Cloud Private 3.2.1
For IBM Cloud Private 3.2.0, apply November fix pack:
o IBM Cloud Private 3.2.0.1911 fix pack
For IBM Cloud Private 3.2.1, apply November fix pack:
o IBM Cloud Private 3.2.1.1911 fix pack
For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:
o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
Private 3.2.1.
o If required, individual product fixes can be made available between CD
update packages for resolution of problems. Contact IBM support for
assistance
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
=================================================================================
A Security Vulnerability affects IBM Cloud Private - Go (CVE-2019-16276)
Security Bulletin
Summary
A Security Vulnerability affects IBM Cloud Private - Go
Vulnerability Details
CVEID: CVE-2019-16276
DESCRIPTION: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request
Smuggling.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167963 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private |3.2.0 CD |
+--------------------+----------+
|IBM Cloud Private |3.2.1 CD |
+--------------------+----------+
Remediation/Fixes
Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages
o IBM Cloud Private 3.2.0
o IBM Cloud Private 3.2.1
For IBM Cloud Private 3.2.0, apply November fix pack:
o IBM Cloud Private 3.2.0.1911
For IBM Cloud Private 3.2.1, apply November fix pack:
o IBM Cloud Private 3.2.1.1911
For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:
o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
Private 3.2.1.
o If required, individual product fixes can be made available between CD
update packages for resolution of problems. Contact IBM support for
assistance
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXg070GaOgq3Tt24GAQhSDxAAxTLPF41f9XQxq4uzaQI3LVlMlKGLKHjT
VDyPim1DsBC4xufsd35zLq6k9pw5vmYeaex4NCuIgtUdEob/dL2Tmwexr99cyMle
fK2n6xtmHKYJ+QqAKBCWUmQqRMMJHEJS7wBQscvfhozCZ7jnz0e2Th8IRhQwvfDN
X7FuoQd/5Y0HEHz6QEZZpUPIt0yrKGbgkoXI7gAS/QDCoy7udnUb9UuifW0AEZol
3/Q4u0lrGftwAeNTyu/ON3GsZt40hJw5jmkSZTT3kT4i+zvrHe6BBVUyx7wxjbMo
thY3xfspC4ZOzq6kYPdHsx2bAxitYBT+jT/ue+6c7e6EgsIP9EiZOy2c86f8z9Sr
koc2+K7HhmQ9DjfsZXMxkfJXM0GNNdPDt57N4RSnTrCc3WBStKLcGOCnXDSYHZ5T
iptseltwf7d/f60SaF1HzHT4aRI9cP7M9ISqqk0vZdC6g94qGGOndKCR7N2OUrxu
fF4PO8XY/auzMnxidmg1f7cWc/pWY8AaHFAwWArtNJc/XxdG9f7YMJfrPMbx48So
H1E3d8NDLwWbPw92K5PAH8a4ursehr98s1m0nhR5voR1UyVi08wT6nRDZznVUoXA
MwRrnpPRRuwk2CEFQvNNPJ/JEfJRacrHhrUUPcQu+n/TJ/5sgjOlI3hBx5H0t4yc
t8v9kPZqWYo=
=Gboo
-----END PGP SIGNATURE-----