Lucene search

K
ibmIBM7A086F0E93B92472C7FCA2C317DA473BE8E4B03C4DA8A042F2C84374FD09DBEA
HistoryMar 01, 2020 - 5:02 p.m.

Security Bulletin: A security vulnerability has been identified in SQLite shipped with PowerAI.

2020-03-0117:02:58
www.ibm.com
18
sqlite
powerai
watson machine learning community edition
cve-2019-19242
cve-2019-19244
denial of service
cvss
vulnerabilities
upgrade
installation
packages

EPSS

0.001

Percentile

47.4%

Summary

Multiple vulnerabilities CVE-2019-19242 and CVE-2019-19244 found in SQLite package.

Vulnerability Details

CVEID:CVE-2019-19242
**DESCRIPTION:**An unspecified error with the mishandling of pExpr->y.pTab in the sqlite3ExprCodeTarget function in expr.c in SQLite has an unknown impact and attack vector.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172151 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2019-19244
**DESCRIPTION:**SQLite is vulnerable to a denial of service, caused by an error in sqlite3Select in select.c. By providing specially crafted input, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172196 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
Watson Machine Learning Community Edition 1.6.2
Watson Machine Learning Community Edition 1.6.1
IBM PowerAI 1.6.0

Remediation/Fixes

For IBM PowerAI 1.6.0 and Watson Machine Learning Community Edition 1.6.1 :

Upgrade to WML CE 1.6.2, which includes the fixes. See https://www.ibm.com/support/knowledgecenter/SS5SF7 for upgrading instructions.


For Watson Machine Learning Community Edition 1.6.2 :

For installing WML CE from scratch

New installations of WML CE include all security fixes.

See https://www.ibm.com/support/knowledgecenter/SS5SF7 for installation instructions.

Updating an existing WML CE installation

It is recommended to keep packages up to date. To update all packages to the latest versions within 1.6.2 use:

echo “powerai-release=1.6.2” >> $CONDA_PREFIX/conda-meta/pinned

conda update --all


To update individual packages, use the package name:

conda update tensorflow


Alternatively, the WML CE installation can be upgraded to 1.7.0, which also contains the fix.

conda update --all


Workarounds and Mitigations

None

EPSS

0.001

Percentile

47.4%