Security Bulletin: IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-2019-11254)

Summary

IBM Cloud Private is vulnerable to a Kubernetes vulnerability

Vulnerability Details

CVEID:CVE-2019-11254
**DESCRIPTION:**Kubernetes is vulnerable to a denial of service, caused by a flaw in kube-apiserver. By sending a specially-crafted request using YAML payloads, a remote authenticated attacker could exploit this vulnerability to consume excessive CPU cycles.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178935 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages

• IBM Cloud Private 3.2.1
• IBM Cloud Private 3.2.2

For IBM Cloud Private 3.2.1, apply the March 3.2.1 fix pack then apply the June 3.2.2 fixpack. The June 3.2.2 fixpack includes all fixes in the June 3.2.1 fixpack and updates Kubernetes from version 1.13.12 to 1.16.7 and includes the Kubernetes fixes to address this CVE.

• IBM Cloud Private 3.2.1.2003

• IBM Cloud Private 3.2.2.2006

For IBM Cloud Private 3.2.2, apply June fix pack:

• IBM Cloud Private 3.2.2.2006

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2, 3.2.0:

• Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2.
• If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance

Workarounds and Mitigations

None