Security Bulletin: IBM Cloud Private for Data is affected by vulnerabilities in the Setup package. CVE-2018-1113

Summary

IBM Cloud Private for Data is affected by vulnerabilities in the Setup Project that could allow a remote attacker to bypass security restrictions.

Vulnerability Details

CVEID: CVE-2018-1113 DESCRIPTION: Setup Project could allow a remote attacker to bypass security restrictions, caused by an issue with adding /sbin/nologin and /usr/sbin/nologin to /etc/shells. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147843&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

IBM Cloud Private for Data V1.2.1.1

Remediation/Fixes

1. Users of IBM Cloud Private for Data V1.2.1 are advised to contact IBM Support for instructions on obtaining the fix patch

Workarounds and Mitigations

No workarounds are available at this time.