Security Bulletin: IBM Cloud Private is vulnerable to Kubernetes vulnerabilities (CVE-2020-8566, CVE-2020-8565, CVE-2020-8563, CVE-2020-8564)

Summary

IBM Cloud Private is vulnerable to Kubernetes vulnerabilities

Vulnerability Details

CVEID:CVE-2020-8566
**DESCRIPTION:**Kubernetes could allow a local authenticated attacker to obtain sensitive information, caused by a flaw when Ceph RBD volumes are supported and kube-controller-manager is using logLevel >= 4. By gaining access to the log files, an attacker could exploit this vulnerability to obtain the Ceph RBD Admin secrets, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189926 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2020-8565
**DESCRIPTION:**Kubernetes could allow a local authenticated attacker to obtain sensitive information, caused by a flaw when kube-apiserver is using logLevel >= 9. By gaining access to the log files, an attacker could exploit this vulnerability to obtain the Kubernetes authorization tokens information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189925 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2020-8563
**DESCRIPTION:**Kubernetes could allow a local authenticated attacker to obtain sensitive information, caused by a flaw when using VSphere provider and kube-controller-manager is using logLevel >= 4. By gaining access to the log files, an attacker could exploit this vulnerability to obtain the VSphere Cloud credentials, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189923 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)

CVEID:CVE-2020-8564
**DESCRIPTION:**Kubernetes could allow a local authenticated attacker to obtain sensitive information, caused by a flaw when pull secrets are stored in a Docker config file and loglevel >= 4. By gaining access to the configuration files, an attacker could exploit this vulnerability to obtain full secrets or other credentials in docker, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189924 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages

• IBM Cloud Private 3.2.1
• IBM Cloud Private 3.2.2

For IBM Cloud Private 3.2.1, the defect fixes for Kubernetes requires an update to the Kubernetes version. First apply the 3.2.1.2003 fix pack and then apply either the 3.2.2.2006 fixpack or the 3.2.2.2008 fixpack. Then apply the 3.2.2.2012 fixpack. The 3.2.2.2006 or the 3.2.2.2008 fixpack updates Kubernetes from version 1.13.12 to 1.16.7. The 3.2.2.2012 updates Kubernetes from version 1.16.7 to 1.19

• IBM Cloud Private 3.2.1.2003
• IBM Cloud Private 3.2.2.2006
• IBM Cloud Private 3.2.2.2008

For IBM Cloud Private 3.2.2, apply fix pack:

• IBM Cloud Private 3.2.2.2012

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2, 3.2.0:

• Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2.
• If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance

Workarounds and Mitigations

None