8.6 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.003 Low
EPSS
Percentile
66.0%
IBM Cloud Private is affected by an issue with runc used by Docker. The vulnerability allows a malicious container to overwrite the host runc binary and thus gain root-level code execution on the host
CVEID: CVE-2019-5736 DESCRIPTION: Runc could allow a local attacker to execute arbitrary commands on the system, cause by the improper handling of system file descriptors when running containers. An attacker could exploit this vulnerability using a malicious container to overwrite the contents of the host runc binary and execute arbitrary commands with root privileges on the host system.
CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156819> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
IBM Cloud Private 3.1.x
IBM Cloud Private 2.1.x
IBM Cloud Automation Manager 3.1.x, 3.2.0
Users of the IBM Cloud Private supplied Docker packages should apply one of the the following patches based on their platform
IBM Cloud Private - Linux_x86 (Ubuntu, RHEL)
IBM Cloud Private - Linux_x86 (SLES)
IBM Cloud Private - ppc64le (Ubuntu, RHEL)
IBM Cloud Private - ppc64le (SLES)
IBM Cloud Private - s390x (Ubuntu, RHEL)
IBM Cloud Private - s390x (SLES)
IBM Cloud Private users who obtained Docker from other sources should obtain a patched version from the appropriate vendor.
Users of Cloud Automation Manager Content Runtime should use the following procedure to update Docker:
Upgrade Docker Engine on IBM Cloud Automation Manager Content Runtime system for CVE 2019-5736
IBM Cloud Automation Manager Content Runtime deployment installs either Docker CE or Docker EE on the Content Runtime system based on user selection. Docker CE is installed either using Docker provided convenience scripts or using the installation binary provided by the user. Docker EE is installed using the Docker EE repository URL provided by the user or the installation binary provided by the user.
This instruction assumes that you already upgraded your docker engine for CVE 2018-10892https://www-01.ibm.com/support/docview.wss?uid=ibm10739839. After applying the fix for CVE 2018-10892, you must be either, running Docker CE 18.06 or 18.09, or Docker EE 18.03 or 18.09
To fix the vulnerability described in CVE 2019-5736, you need to upgrade your
Before you upgrade the Docker Engine:
1 Execute the following command to verify the docker engine version that is running on your Content Runtime system.
docker version
If the version is lower than Docker CE 18.06.3, Docker CE 18.09.2, Docker EE 18.03.1-ee.6 or Docker EE 18.09.2 then you need to upgrade.
2 Make sure you have no middleware content template deployments or destructions or deletes in “Progress” state. If they are in Progress state, then wait for them to complete.
3 Execute the following command to bring down the pattern manager and software repository containers on the Content Runtime system.
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml down
Note: If you are running Docker 18.06.x or lower, then do not upgrade to 18.09 or higher. Starting from Docker 18.09 the devicemapper storage driver is deprecated. The content runtime deployments that use Docker 18.06.x or lower use devicemapper storage driver.
Upgrade Docker CE on Ubuntu
1 Execute the following command to update the apt packages
sudo apt-get update
2 List the versions available in your repo. Verify if the version you need is in the list.
sudo apt-cache madison docker-ce
3 Install a specific version by its fully qualified package name.
For 18.06 or lower use the following command
sudo apt-get install docker-ce=<VERSION>
For 18.09 use the following command
sudo apt-get install docker-ce=<VERSION_STRING> docker-ce-cli=<VERSION_STRING> containerd.io
where version_string is the second column from output of step 2
Example:
sudo apt-get install docker-ce=18.06.3~ce~3-0~ubuntu
or
sudo apt-get install docker-ce= 5:18.09.3~3-0~ubuntu-xenial docker-ce-cli= 5:18.09.3~3-0~ubuntu-xenial containerd.io
4 Verify the docker version using the following command
sudo docker version
5 Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
6 Verify if the containers are started by executing the following command.
sudo docker ps
For more details on install and upgrade of Docker CE on Ubuntu refer to https://docs.docker.com/install/linux/docker-ce/ubuntu/
Upgrade Docker EE on Ubuntu
1 Execute the following command to set up the repository for Docker Engine 18.03 or 18.09. If your current version is Docker EE 18.03, then set up 18.03 repository. If your current version is Docker EE 18.09, then set up 18.09 repository.
sudo add-apt-repository "deb [arch=amd64] <YOUR_DOCKER_EE_REPO_URL>/ubuntu <YOUR_UBUNTU_VERSION> stable-18.03"
or
sudo add-apt-repository "deb [arch=amd64] <YOUR_DOCKER_EE_REPO_URL>/ubuntu <YOUR_UBUNTU_VERSION> stable-18.09"
Example: "sudo add-apt-repository "deb [arch=amd64] https://storebits.docker.com/ee/trial/sub-xxx-xxx-xxx-xxx-xxx/ubuntu_xenial_stable-18.03" "
Example: "sudo add-apt-repository "deb [arch=amd64] https://storebits.docker.com/ee/trial/sub-xxx-xxx-xxx-xxx-xxx/ubuntu_xenial_stable-18.09" "
2 Execute the following command to update the apt packages
sudo apt-get update
3 List the versions available in your repo. Verify if the version you need is in the list.
sudo apt-cache madison docker-ee
4 Based on your current docker version, install a specific version by its fully qualified package name
To upgrade 18.03 execute:
sudo apt-get install docker-ee=<VERSION>
To upgrade 18.09 execute:
sudo apt-get install docker-ee=<VERSION_STRING> docker-ee-cli=<VERSION_STRING> containerd.io
Where version_string is the second column from output of step 3
Example: sudo apt-get install docker-ee=3:18.03.1~ee~3~3-0~ubuntu
Example: sudo apt-get install docker-ee= 5:18.09.3~3-0~ubuntu-xenial docker-ee-cli= 5:18.09.3~3-0~ubuntu-xenial containerd.io
5 Verify the docker version using the following command
sudo docker version
6 Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
7 Verify if the containers are started by executing the following command.
sudo docker ps
For more details on install and upgrade of Docker EE on Ubuntu refer to https://docs.docker.com/install/linux/docker-ee/ubuntu/
Upgrade Docker EE on Red Hat Linux
1 Execute the following command to set up the repository for Docker Engine 18.03 or 18.09. If your current version is Docker EE 18.03, then set up 18.03 repository. If your current version is Docker EE 18.09, then set up 18.09 repository.
sudo yum-config-manager --enable docker-ee-stable-18.03 or
sudo yum-config-manager --enable docker-ee-stable-18.09
2 List the versions available in your repository. Verify if the version you need is in the list.
sudo yum list docker-ee --showduplicates | sort -r
3 Based on your current docker version, install either 18.03 or 18.09 docker engine
To upgrade 18.03 execute:
sudo yum -y install docker-ee-<version_string>
To upgrade 18.09 execute:
sudo yum -y install docker-ee-< version_string > docker-ee-cli-< version_string > containerd.io
where version_string is the second column from output of step 2 starting at the first colon (:), up to the first hyphen.
Example: sudo yum -y install docker-ee-18.09.3 docker-ee-cli-18.09.3 containerd.io
Example: sudo yum -y install docker-ee-18.03.1.ee.7
4 Verify the docker version using the following command
sudo docker version
5 Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
6 Verify if the containers are started by executing the following command.
sudo docker ps
For more details on install and upgrade of Docker EE on Red Hat Linux refer to [https://docs.docker.com/install/linux/docker-ee/rhel/](<https://docs.docker.com/install/linux/docker-ee/rhel/>)
**Upgrade Docker installed using binary files**
If you installed Docker on Content Runtime virtual machine using the Docker Installation file option during Content Runtime deployment, then you need to download the debian or rpm package from Docker and upgrade the package.
For more information, depending on your operating system and Docker Engine Edition, refer to Upgrade section in one of the following links
[https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-from-a-package](<https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-from-a-package>),
[https://docs.docker.com/install/linux/docker-ee/rhel/#install-with-a-package](<https://docs.docker.com/install/linux/docker-ee/rhel/#install-with-a-package>), or
[https://docs.docker.com/install/linux/docker-ee/ubuntu/#install-from-a-package](<https://docs.docker.com/install/linux/docker-ee/ubuntu/#install-from-a-package>) .
Note: If you are running Docker 18.06.x or lower, then do not upgrade to 18.09 or higher. Starting from Docker 18.09 the devicemapper storage driver is deprecated. The content runtime deployments that use Docker 18.06.x or lower use devicemapper storage driver.
For Ubuntu execute the following steps
1 Upgrade to new version using
sudo dpkg -i <PATH_TO_UPGRADE_PACKAGE>
2 Verify the docker version using
docker version
3 Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
4 Verify if the containers are started by executing the following command.
docker ps
For Red Hat execute the following steps
1 Upgrade to new version using
sudo yum -y upgrade <PATH_TO_UPGRADE_PACKAGE>
2 Verify the docker version using
docker version
3 Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
4 Verify if the containers are started by executing the following command.
docker ps
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm cloud private | eq | any |
8.6 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.003 Low
EPSS
Percentile
66.0%