Security Bulletin: Vulnerability in Python affects Watson Studio (Notebook) (CVE-2018-14647)

Summary

Python is vulnerable to a denial of service, caused by a flaw in the elementtree C accelerator. By using a specially-crafted XML document, a remote attacker could exploit this vulnerability to cause a resource exhaustion.

Vulnerability Details

CVE-ID: CVE-2018-14647

DESCRIPTION: Python’s elementtree C accelerator failed to initialize Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM.

CVSS Base Score: 5.3

CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/150579&gt; for more information

CVSS Environmental Score:* Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

• IBM Watson Studio Paygo 1.0 ( Spark and Default Environments for Python 2.7 and Python 3.5)
• IBM Watson Studio Enterprise 1.0 (Spark and Default Environments for Python 2.7 and Python 3.5)

Remediation/Fixes

1. This Vulnerability is remediated in IBM Watson Studio with Python 3.6 support for Spark and Default Environments.
2. Spark Environment support for Python 2.7 and Python 3.5 is deprecated as of May 15 2019 and become unavailable as of June 15 2019. Users must move their Notebooks to Python 3.6
3. Default Environment Support for Python 2.7 and Python 3.5 is deprecated as of July 16 2019 and become unavailable as of Aug 28 2019. Users must move their Notebooks to Python 3.6.
4. Refer to Watson Studio Python 3.6 Announcement for more details.

Workarounds and Mitigations

None.