Lucene search

K
ibmIBM0FA8F160274D65EBE3F9DF5D68DD52137C903D463F70DBAFEABAD8324EE404EC
HistorySep 18, 2019 - 6:45 p.m.

Security Bulletin: IBM Cloud Automation Manager is affected by an issue with Docker 19.03.x before 19.03.1.

2019-09-1818:45:57
www.ibm.com
3

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Summary

IBM Cloud Automation Manager Advanced Content Runtime is affected by an issue in docker 19.03.x before 19.03.1 described in CVE-2019-14271. If you have docker 19.03.x before 19.03.1 installed on your advanced content runtime system, then upgrade to 19.03.1 or higher.

Vulnerability Details

CVEID: CVE-2019-14271 DESCRIPTION: Docker could allow a local attacker to execute arbitrary code on the system, caused by a code injection flaw when the nsswitch facility dynamically loads a library inside a chroot. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject and execute arbitrary code on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165377&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Cloud Automation Manager 3.1.x, 3.2.x

Remediation/Fixes

IBM Cloud Automation Manager Content Runtime deployment installs either Docker CE or Docker EE on the Content Runtime system based on user selection. Docker CE is installed either using Docker provided convenience scripts or using the installation binary provided by the user. Docker EE is installed using the Docker EE repository URL provided by the user or the installation binary provided by the user.

You need to apply the fix described in this security bulletin if the docker version used by your IBM Cloud Automation Manager Content Runtime is 19.03.0.

Before you upgrade the Docker Engine:

1. Execute the following command to verify the docker engine version that is running on your Content Runtime system.

docker version

If the version is 19.03.0 then you need to upgrade it to 19.03.1 or higher. If it is not 19.03.0 then you do not need to upgrade.

2. Make sure you have no middleware content template deployments or destructions or deletes in “Progress” state. If they are in Progress state, then wait for them to complete.

3. Execute the following command to bring down the pattern manager and software repository containers on the Content Runtime system.

cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml down

Upgrade Docker CE on Ubuntu

1. Execute the following command to update the apt packages

sudo apt-get update

2. List the versions available in your repo. Verify if the version you need is in the list.

sudo apt-cache madison docker-ce

3. Install a specific version by its fully qualified package name.

sudo apt-get install docker-ce=<VERSION_STRING> docker-ce-cli=<VERSION_STRING> containerd.io

where version string is the second column from output of step 2

Example:

sudo apt-get install docker-ce=5:19.03.2~3-0~ubuntu-xenial docker-ce-cli=5:19.03.2~3-0~ubuntu-xenial containerd.io

4. Verify the docker version using the following command

sudo docker version

5. Restart the containers using the following command

cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d

6. Verify if the containers are started by executing the following command.

sudo docker ps

For more details on install and upgrade of Docker CE on Ubuntu refer to https://docs.docker.com/install/linux/docker-ce/ubuntu/

Upgrade Docker EE on Ubuntu

1. Execute the following command to set up the repository for Docker Engine 19.03

sudo add-apt-repository “deb [arch=amd64] <YOUR_DOCKER_EE_REPO_URL>/ubuntu <YOUR_UBUNTU_VERSION> stable-19.03”

Example: sudo add-apt-repository “deb [arch=amd64] https://storebits.docker.com/ee/trial/sub-xxx/ubuntu xenial stable-19.03”

2. Execute the following command to update the apt packages

sudo apt-get update

3. List the versions available in your repo. Verify if the version you need is in the list.

sudo apt-cache madison docker-ee

4. Install a specific version by its fully qualified package name

sudo apt-get install docker-ee=<VERSION_STRING> docker-ee-cli=<VERSION_STRING> containerd.io

Example: sudo apt-get install docker-ee=5:19.03.2~3-0~ubuntu-xenial docker-ee-cli=5:19.03.2~3-0~ubuntu-xenial containerd.io

5. Verify the docker version using the following command

sudo docker version

6. Restart the containers using the following command

cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d

7. Verify if the containers are started by executing the following command.

sudo docker ps

For more details on install and upgrade of Docker EE on Ubuntu refer to https://docs.docker.com/install/linux/docker-ee/ubuntu/

Upgrade Docker EE on Red Hat Linux

1. Execute the following command to set up the repository for Docker Engine 19.03

sudo yum-config-manager --enable docker-ee-stable-19.03

2. List the versions available in your repository. Verify if the version you need is in the list.

sudo yum list docker-ee --showduplicates | sort -r

3. To upgrade 19.03 execute:

sudo yum -y install docker-ee-< version_string > docker-ee-cli-< version_string > containerd.io

where version_string is the second column from output of step 2 starting at the first colon (:), up to the first hyphen.

Example: sudo yum -y install docker-ee-19.03.2 docker-ee-cli-19.03.2 containerd.io

4. Verify the docker version using the following command

sudo docker version

5. Restart the containers using the following command

cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d

6. Verify if the containers are started by executing the following command.

sudo docker ps

For more details on install and upgrade of Docker EE on Red Hat Linux refer to https://docs.docker.com/install/linux/docker-ee/rhel/

Upgrade Docker installed using binary files

If you installed Docker on Content Runtime virtual machine using the Docker Installation file option during Content Runtime deployment, then you need to download the debian or rpm package from Docker and upgrade the package.

For more information, depending on your operating system and Docker Engine Edition, refer to Upgrade section in one of the following links

https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-from-a-package,

https://docs.docker.com/install/linux/docker-ee/rhel/#install-with-a-package, or

https://docs.docker.com/install/linux/docker-ee/ubuntu/#install-from-a-package .

Note: You must download and install docker-cli, containerd.io and docker-ce.

For Ubuntu execute the following steps

1. Upgrade to new version using

sudo dpkg -i <PATH_TO_UPGRADE_PACKAGE>

2. Verify the docker version using

docker version

3. Restart the containers using the following command

cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d

4. Verify if the containers are started by executing the following command.

docker ps

For Red Hat execute the following steps

1. Upgrade to new version using

sudo yum -y upgrade <PATH_TO_UPGRADE_PACKAGE>

2. Verify the docker version using

docker version

3. Restart the containers using the following command

cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d

4. Verify if the containers are started by executing the following command.

docker ps

CPENameOperatorVersion
ibm cloud automation managereqany

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Related for 0FA8F160274D65EBE3F9DF5D68DD52137C903D463F70DBAFEABAD8324EE404EC