Security Bulletin: IBM Cloud Private is vulnerable to a Netty vulnerability (CVE-2020-11612)

Summary

IBM Cloud Private is vulnerable to a Netty vulnerability

Vulnerability Details

CVEID:CVE-2020-11612
**DESCRIPTION:**Netty is vulnerable to a denial of service, caused by unbounded memory allocation while decoding a ZlibEncoded byte stream in the ZlibDecoders. By sending a large ZlibEncoded byte stream, a remote attacker could exploit this vulnerability to exhaust memory resources.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180530 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages

• IBM Cloud Private 3.2.1
• IBM Cloud Private 3.2.2

For IBM Cloud Private 3.2.1, apply Aug fix pack:

• IBM Cloud Private 3.2.1.2008

For IBM Cloud Private 3.2.2, apply Aug fix pack:

• IBM Cloud Private 3.2.2.2008

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2, 3.2.0:

Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2.2008.

If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance

Workarounds and Mitigations

None