Security Bulletin: IBM Cloud Pak for Data has a vulnerable base OS image due to kernel-headers ( CVE-2022-1012, CVE-2022-32250 )

Summary

Kernel-headers used by IBM Cloud Pak for Data as part of the base OS image. CVE-2022-1012, CVE-2022-32250.

Vulnerability Details

CVEID:CVE-2022-1012
**DESCRIPTION:**Linux Kernel could allow a remote attacker to obtain sensitive information, caused by a memory leak flaw in the TCP source port generation algorithm in the net/ipv4/tcp.c function. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

CVEID:CVE-2022-32250
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free write flaw in the netfilter subsystem. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228676 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)|**Version(s)
**
—|—
IBM Cloud Pak for Data| 4.0.0-4.8.4

Remediation/Fixes

IBM****strongly recommends addressing the vulnerability now.

Product(s)

|

Version(s) number and/or range

|

Remediation/Fix/Instructions

—|—|—

IBM Cloud Pak for Data

|

4.0.0-4.8.4

|

Download 4.8.5 and follow instructions

Workarounds and Mitigations

None