Lucene search

K
ibmIBMC9488F06558746146D0C18DBB0BEB871DAFDC70B677B49F63F50BEA425EB86AF
HistoryFeb 28, 2020 - 3:54 p.m.

Security Bulletin: A vulnerability in Python affects IBM Operations Analytics Predictive Insights (CVE-2018-14647)

2020-02-2815:54:09
www.ibm.com
17
python
ibm operations analytics predictive insights
cve-2018-14647
vulnerability
expat
denial of service
cpu
ram
cvss
fix
1.3.6 interim fix 2

EPSS

0.006

Percentile

79.3%

Summary

Python is used by IBM Operations Analytics Predictive Insights. IBM Operations Analytics Predictive Insights has addressed the applicable CVE. Note that the usage of Python within IBM Operations Analytics Predictive Insights is limited to the REST Mediation utility. If you do not use that utility then you are not affected by this bulletin.

Vulnerability Details

CVEID:CVE-2018-14647
**DESCRIPTION:**Python’s elementtree C accelerator failed to initialise Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150579 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Operations Analytics Predictive Insights 1.3.6

Remediation/Fixes

Apply 1.3.6 Interim Fix 2
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics±+Predictive+Insights&release=1.3.6

Workarounds and Mitigations

None