Operating System:

[Linux]

Published:

03 January 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0044
        Multiple Security Vulnerabilities affect IBM Cloud Private
                              3 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cloud Private
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
                   Unauthorised Access      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1563 CVE-2019-1549 CVE-2019-1547

Reference:         ASB-2019.0353
                   ESB-2019.4657

Original Bulletin: 
   https://www.ibm.com/support/pages/node/1167106
   https://www.ibm.com/support/pages/node/1167100
   https://www.ibm.com/support/pages/node/1167088

Comment: This bulletin contains three (3) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Vulnerabilities affect IBM Cloud Private - OpenSSL (CVE-2019-1563,
CVE-2019-1549, CVE-2019-1547)

Security Bulletin

Summary

Security Vulnerabilities affect IBM Cloud Private - OpenSSL

Vulnerability Details

CVEID: CVE-2019-1563
DESCRIPTION: In situations where an attacker receives automated notification of
the success or failure of a decryption attempt an attacker, after sending a
very large number of messages to be decrypted, can recover a CMS/PKCS7
transported encryption key or decrypt any RSA encrypted message that was
encrypted with the public RSA key, using a Bleichenbacher padding oracle
attack. Applications are not affected if they use a certificate together with
the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the
correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected
1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in
OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167022 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-1549
DESCRIPTION: OpenSSL 1.1.1 introduced a rewritten random number generator
(RNG). This was intended to include protection in the event of a fork() system
call in order to ensure that the parent and child processes did not share the
same RNG state. However this protection was not being used in the default case.
A partial mitigation for this issue is that the output from a high precision
timer is mixed into the RNG state so the likelihood of a parent and child
process sharing state is significantly reduced. If an application already calls
OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem
does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167021 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-1547
DESCRIPTION: Normally in OpenSSL EC groups always have a co-factor present and
this is used in side channel resistant code paths. However, in some cases, it
is possible to construct a group using explicit parameters (instead of using a
named curve). In those cases it is possible that such a group does not have the
cofactor present. This can occur even where all the parameters match a known
named curve. If such a curve is used then OpenSSL falls back to non-side
channel resistant code paths which may result in full key recovery during an
ECDSA signature operation. In order to be vulnerable an attacker would have to
have the ability to time the creation of a large number of signatures where
explicit parameters with no co-factor present are in use by an application
using libcrypto. For the avoidance of doubt libssl is not vulnerable because
explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected
1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in
OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167020 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private   |3.2.1 CD  |
+--------------------+----------+
|IBM Cloud Private   |3.2.0 CD  |
+--------------------+----------+

Remediation/Fixes

Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages

  o IBM Cloud Private 3.2.0
  o IBM Cloud Private 3.2.1

For IBM Cloud Private 3.2.0, apply November fix pack:

  o IBM Cloud Private 3.2.0.1911 fix pack

For IBM Cloud Private 3.2.1, apply November fix pack:

  o IBM Cloud Private 3.2.1.1911 fix pack

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:

  o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
    Private 3.2.1.
  o If required, individual product fixes can be made available between CD
    update packages for resolution of problems. Contact IBM support for
    assistance

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References


- -------------------------------------------------------------------------------

IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-ID:
CVE-2019-11244)

Security Bulletin

Summary

IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-ID:
CVE-2019-11244)

Vulnerability Details

CVEID: CVE-2019-11244
DESCRIPTION: In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in
the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache),
written with world-writeable permissions (rw-rw-rw-). If --cache-dir is
specified and pointed at a different location accessible to other users/groups,
the written files may be modified by other users/groups and disrupt the kubectl
invocation.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
160042 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private   |3.2.0 CD  |
+--------------------+----------+

Remediation/Fixes

Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages

  o IBM Cloud Private 3.2.0

For IBM Cloud Private 3.2.0, applyOctoberfix pack:

  o IBM Cloud Private 3.2.0.1910 fix pack

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:

  o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
    Private 3.2.1.
  o If required, individual product fixes can be made available between CD
    update packages for resolution of problems. Contact IBM support for
    assistance

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References


- -------------------------------------------------------------------------------

Security Vulnerabilities affect IBM Cloud Private Cloud Foundry - Python
(CVE-2019-9947, CVE-2019-9948)

Security Bulletin

Summary

Security Vulnerabilities affect IBM Cloud Private Cloud Foundry - Python
(CVE-2019-9947, CVE-2019-9948)

Vulnerability Details

CVEID: CVE-2019-9948
DESCRIPTION: urllib in Python 2.x through 2.7.16 supports the local_file:
scheme, which makes it easier for remote attackers to bypass protection
mechanisms that blacklist file: URIs, as demonstrated by triggering a
urllib.urlopen('local_file:///etc/passwd') call.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158831 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2019-9947
DESCRIPTION: An issue was discovered in urllib2 in Python 2.x through 2.7.16
and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the
attacker controls a url parameter, as demonstrated by the first argument to
urllib.request.urlopen with \r\n (specifically in the path component of a URL
that lacks a  character) followed by an HTTP header or a Redis command. This
is similar to the CVE-2019-9740 query string issue.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158830 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private   |3.2.1 CD  |
+--------------------+----------+
|IBM Cloud Private   |3.2.0 CD  |
+--------------------+----------+

Remediation/Fixes

Product defect fixes and security updates are only available for the two most
recent Continuous Delivery (CD) update packages

  o IBM Cloud Private 3.2.0
  o IBM Cloud Private 3.2.1

For IBM Cloud Private - Cloud Foundry 3.2.0, apply fix pack:

  o IBM Cloud Private Cloud Foundry 3.2.0 fix pack

For IBM Cloud Private - Cloud Foundry 3.2.1, apply fix pack:

  o IBM Cloud Private Cloud Foundry 3.2.1 fix pack

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:

  o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
    Private 3.2.1.
  o If required, individual product fixes can be made available between CD
    update packages for resolution of problems. Contact IBM support for
    assistance

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXg67y2aOgq3Tt24GAQjOyRAA2RpcXex0etyK35gmFx0nHYUE9jj918bv
Hp6bKTC7rn3WRHRAhNnJ9S1AiPReXfTeeFY7ZLhLjS78V2tCPrhegEHN2nehFPN3
7xSf9D2npx0LEbfpgelQYEBzgLyaPQ1zwdCdh/pUs2j0kI74PYo5uvxI/JpZAHRn
XxSZiIpd1WwfOvYKLqbUNMizo5uyB9WZIwhni2f/npAd55ztgXlig54RodjVmSGx
Ym+y9LBPYX2Qay2lsTARZBt+kyEiUWKulU0FVOa8AaYRBxk4UYv8xrK9qYCU8Bvh
uZ33x23g2gAp5N3JSMslsfGRI01M/s1O/UGXltbf9/9EkDqaQ0hxwJ2sh8TG0e3E
9jhJyyKS9tve6gll7B5f2hCHjk9s5HZ/IXQvYAyy+5JAqMsSBEDCEjXIWKpvG8Tr
nVu6zlkXeKWSe8XqlMcHGA5yK63FzGKZhqEKYwrESab776OZyJVlyjO6Qa4nWQ2R
qQJiCrMgcqFtC1L9EGqcE5kNqkeaAUWj72QD/vKw+/pFK+fqMpQdQtc8on5Iz2hN
9SPs3uZ0IjWVqJ2DdImE9a6PiXSXoV9aGd4w+Gbf9+DBXbZglf8Wd5P4FK8TXJW2
nvowuVyGMZNlnnmQ/vzD9lopLP/6c38HYbjZPRJQ4QbHveUO34Pl5OgGum4HgYBp
LLqc4bspHXs=
=yilR
-----END PGP SIGNATURE-----