Lucene search

K
ibmIBM1A91FB8601D752BFD8B027B3D77C02E358257AF9F10E8B2DD58DEF09EE89D628
HistoryOct 03, 2019 - 10:50 p.m.

Security Bulletin: IBM Cloud Private for Data is affected by an issue with runc used by Docker

2019-10-0322:50:40
www.ibm.com
12

8.6 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Summary

IBM Cloud Private for Data is affected by an issue with runc used by Docker. The vulnerability allows a malicious container to overwrite the host runc binary and thus gain root-level code execution on the host.

Vulnerability Details

CVEID: CVE-2019-5736 DESCRIPTION: Runc could allow a local attacker to execute arbitrary commands on the system, cause by the improper handling of system file descriptors when running containers. An attacker could exploit this vulnerability using a malicious container to overwrite the contents of the host runc binary and execute arbitrary commands with root privileges on the host system.
CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156819&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

Affected Products and Versions

IBM Cloud Private for Data 1.1.x using IBM Cloud Private 3.1.1

IBM Cloud Private for Data 1.2.x using IBM Cloud Private 3.1.2

Remediation/Fixes

Apply Docker packages provided by IBM Cloud Private as detailed in the IBM Cloud Private Security Bulletin at <https://www-01.ibm.com/support/docview.wss?uid=ibm10871642&gt;

Workarounds and Mitigations

None

8.6 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C