Lucene search

K
ibmIBM85461E9D9798361FF909120CBCEBF02BB37F1704095D8627B86DD04778C3E138
HistoryNov 23, 2019 - 4:46 p.m.

Security Bulletin: A Security Vulnerability affects IBM Cloud Private Kubernetes (CVE-2019-11248)

2019-11-2316:46:30
www.ibm.com
12

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

Summary

A security vulnerability affects IBM Cloud Private Kubernetes

Vulnerability Details

CVEID: CVE-2019-11248 DESCRIPTION: Kubernetes could allow a remote attacker to obtain sensitive information, caused by the exposure of the debugging endpoint /debug/pprof by default on Kubelet healthz port. An attacker could exploit this vulnerability to obtain internal Kubelet memory addresses and configuration or cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/164836&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

IBM Cloud Private 3.1.0, 3.1.1, 3.1.2, 3.2.0

Remediation/Fixes

Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages

  • IBM Cloud Private 3.2.1
  • IBM Cloud Private 3.2.0

For IBM Cloud Private 3.2.0, apply October fix pack:

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:

  • Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.1.
  • If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud privateeqany

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

Related for 85461E9D9798361FF909120CBCEBF02BB37F1704095D8627B86DD04778C3E138