Security Bulletin: Vulnerability in Python affects Watson Machine Learning Services (CVE-2018-14647)

Summary

Python is vulnerable to a denial of service, caused by a flaw in the elementtree C accelerator. By using a specially-crafted XML document, a remote attacker could exploit this vulnerability to cause a resource exhaustion.

Vulnerability Details

CVE-ID: CVE-2018-14647

DESCRIPTION: Python’s elementtree C accelerator failed to initialize Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM.

CVSS Base Score: 5.3

CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/150579&gt; for more information

CVSS Environmental Score:* Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

• IBM Watson Machine Learning Lite Plan
• IBM Watson Machine Learning Standard Plan
• IBM Watson Machine Learning Professional Plan

Remediation/Fixes

1. This Vulnerability is remediated in IBM Watson Machine Learning Services with Python 3.6 Runtimes support
2. Watson Machine Learning Services and Framework support for Python 2.7 and Python 3.5 is deprecated as of July 23 2019 and will be removed on Aug 30 2019. Users must use services and frameworks with Python 3.6 Runtimes support.
3. Refer to Watson Machine Learning Python 3.6 Announcement for more details.

Workarounds and Mitigations

None.