IBM3C1E68453FB00DE932C399E1B2E8C18B7547D3F9475061F547A238DB213AF613Security Bulletin: IBM Cloud Private for Data is affected by multiple vulnerabilties in Go Language (CVE-2018-16874, CVE-2018-16873, CVE-2018-16875)
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
Summary
IBM Cloud Private for Data is affected by multiple vulnerabilities in Open Source Go Language which could allow a remote attacker to traverse directories on the system, to execute arbitrary code on the system, or mount a denial of service attack.
Vulnerability Details
CVEID: CVE-2018-16874 DESCRIPTION: Go Programming Language could allow a remote attacker to traverse directories on the system, caused by improper input validation by the go get command. An attacker could send a specially-crafted Go package containing “dot dot” sequences (/…/) to write arbitrary files on the system.
CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/154317> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
CVEID: CVE-2018-16873 DESCRIPTION: Go Programming Language could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation by the go get command. By sending a specially-crafted argument, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/154316> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-16875 DESCRIPTION: Go Programming Language is vulnerable to a denial of service, caused by the failure to limit the amount of work performed for each chain verification. By sending specially-crafted pathological inputs, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/154318> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products and Versions
IBM Cloud Private for Data V1.1.0
IBM Cloud Private for Data V1.1.0.1
IBM Cloud Private for Data V1.2.0
IBM Cloud Private for Data V1.2.1
Remediation/Fixes
- Users of IBM Cloud Private for Data V1.1.0 and V1.1.0.1 are advised to contact IBM Support for instructions on obtaining the fix patch and upgrading to V1.2.1.1.
- Uses of IBM Cloud Private for Data V1.2.0 or later are advised to contact IBM Support for instructions on obtaining the fix patch for V1.2.1.1 and upgrading to V1.2.1.1.
Workarounds and Mitigations
No workarounds are available at this time.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud pak for data | eq | any |
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C