IBM Event Streams has addressed the following vulnerabilities in the Go Runtimes shipped.
CVE-ID: CVE-2019-6486
Description: Golang Go is vulnerable to a denial of service, caused by mishandling P-521 and P-384 elliptic curves. By using specially-crafted inputs, a local attacker could exploit this vulnerability to consume all available CPU resources.
CVSS Base Score: 6.2
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/156156> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2018-16875
DESCRIPTION: Go Programming Language is vulnerable to a denial of service, caused by the failure to limit the amount of work performed for each chain verification. By sending specially-crafted pathological inputs, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/154318> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
IBM Event Streams 2018.3.0
IBM Event Streams 2018.3.1
Upgrade to IBM Event Streams 2019.1.1 which is available from Passport Advantage.