Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0044 Multiple Security Vulnerabilities affect IBM Cloud Private 3 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Cloud Private Publisher: IBM Operating System: Linux variants Impact/Access: Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-1563 CVE-2019-1549 CVE-2019-1547 Reference: ASB-2019.0353 ESB-2019.4657 Original Bulletin: https://www.ibm.com/support/pages/node/1167106 https://www.ibm.com/support/pages/node/1167100 https://www.ibm.com/support/pages/node/1167088 Comment: This bulletin contains three (3) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Vulnerabilities affect IBM Cloud Private - OpenSSL (CVE-2019-1563, CVE-2019-1549, CVE-2019-1547) Security Bulletin Summary Security Vulnerabilities affect IBM Cloud Private - OpenSSL Vulnerability Details CVEID: CVE-2019-1563 DESCRIPTION: In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167022 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2019-1549 DESCRIPTION: OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167021 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2019-1547 DESCRIPTION: Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). CVSS Base score: 5.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167020 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM Cloud Private |3.2.1 CD | +--------------------+----------+ |IBM Cloud Private |3.2.0 CD | +--------------------+----------+ Remediation/Fixes Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages o IBM Cloud Private 3.2.0 o IBM Cloud Private 3.2.1 For IBM Cloud Private 3.2.0, apply November fix pack: o IBM Cloud Private 3.2.0.1911 fix pack For IBM Cloud Private 3.2.1, apply November fix pack: o IBM Cloud Private 3.2.1.1911 fix pack For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2: o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.1. o If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance Workarounds and Mitigations None Get Notified about Future Security Bulletins References - ------------------------------------------------------------------------------- IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-ID: CVE-2019-11244) Security Bulletin Summary IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-ID: CVE-2019-11244) Vulnerability Details CVEID: CVE-2019-11244 DESCRIPTION: In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 160042 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM Cloud Private |3.2.0 CD | +--------------------+----------+ Remediation/Fixes Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages o IBM Cloud Private 3.2.0 For IBM Cloud Private 3.2.0, applyOctoberfix pack: o IBM Cloud Private 3.2.0.1910 fix pack For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2: o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.1. o If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance Workarounds and Mitigations None Get Notified about Future Security Bulletins References - ------------------------------------------------------------------------------- Security Vulnerabilities affect IBM Cloud Private Cloud Foundry - Python (CVE-2019-9947, CVE-2019-9948) Security Bulletin Summary Security Vulnerabilities affect IBM Cloud Private Cloud Foundry - Python (CVE-2019-9947, CVE-2019-9948) Vulnerability Details CVEID: CVE-2019-9948 DESCRIPTION: urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158831 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2019-9947 DESCRIPTION: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158830 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM Cloud Private |3.2.1 CD | +--------------------+----------+ |IBM Cloud Private |3.2.0 CD | +--------------------+----------+ Remediation/Fixes Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages o IBM Cloud Private 3.2.0 o IBM Cloud Private 3.2.1 For IBM Cloud Private - Cloud Foundry 3.2.0, apply fix pack: o IBM Cloud Private Cloud Foundry 3.2.0 fix pack For IBM Cloud Private - Cloud Foundry 3.2.1, apply fix pack: o IBM Cloud Private Cloud Foundry 3.2.1 fix pack For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2: o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.1. o If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXg67y2aOgq3Tt24GAQjOyRAA2RpcXex0etyK35gmFx0nHYUE9jj918bv Hp6bKTC7rn3WRHRAhNnJ9S1AiPReXfTeeFY7ZLhLjS78V2tCPrhegEHN2nehFPN3 7xSf9D2npx0LEbfpgelQYEBzgLyaPQ1zwdCdh/pUs2j0kI74PYo5uvxI/JpZAHRn XxSZiIpd1WwfOvYKLqbUNMizo5uyB9WZIwhni2f/npAd55ztgXlig54RodjVmSGx Ym+y9LBPYX2Qay2lsTARZBt+kyEiUWKulU0FVOa8AaYRBxk4UYv8xrK9qYCU8Bvh uZ33x23g2gAp5N3JSMslsfGRI01M/s1O/UGXltbf9/9EkDqaQ0hxwJ2sh8TG0e3E 9jhJyyKS9tve6gll7B5f2hCHjk9s5HZ/IXQvYAyy+5JAqMsSBEDCEjXIWKpvG8Tr nVu6zlkXeKWSe8XqlMcHGA5yK63FzGKZhqEKYwrESab776OZyJVlyjO6Qa4nWQ2R qQJiCrMgcqFtC1L9EGqcE5kNqkeaAUWj72QD/vKw+/pFK+fqMpQdQtc8on5Iz2hN 9SPs3uZ0IjWVqJ2DdImE9a6PiXSXoV9aGd4w+Gbf9+DBXbZglf8Wd5P4FK8TXJW2 nvowuVyGMZNlnnmQ/vzD9lopLP/6c38HYbjZPRJQ4QbHveUO34Pl5OgGum4HgYBp LLqc4bspHXs= =yilR -----END PGP SIGNATURE-----