Security Bulletin: A security vulnerability has been identified in lodash shipped with PowerAI

Summary

Vulnerability CVE-2019-1010266 in lodash

Vulnerability Details

CVEID:CVE-2019-1010266
**DESCRIPTION:**lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168402 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

The 1.6.2 ifix has been delivered by an updated package set. Obtaining the latest packages from the WML CE channel will ensure that you have the ifix installed.

Installing from WML CE with ifix from scratch:

As noted, the latest package versions available contain the fixes, so new installations or new conda environments will automatically install the patched versions. Conda strict channel priority is recommended when using WML CE.

$ cat .condarc
channels:
  - https://public.dhe.ibm.com/ibmdl/export/pub/software/server/ibm-ai/conda
  - defaults
channel_priority: strict



conda create -n my_env python=3.6
conda activate my_env
conda install powerai=1.6.2

or

conda create -n my_env python=3.6
conda activate my_env
conda install tensorboard

Updating an existing WML CE installation:

It is recommended that you keep packages up to date. To update all packages to the latest versions, run:

conda update --all

To update individual packages, use the package name:

conda update tensorboard

If you have previously installed WML CE using the powerai meta-package, you can also use that to update to the latest packages.

conda update powerai

Workarounds and Mitigations

None