Security Bulletin: Vulnerabilities in Python affect OS Image for RedHat bundled with Cloud Pak System

Summary

Vulnerabilities in Open Source Python affect OS Image Red Hat bundled with IBM Cloud Pak System. OS Image Red Hat addressed applicable CVEs.

Vulnerability Details

CVEID:CVE-2019-16935
**DESCRIPTION:**Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168612 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

If you are using an earlier unsupported release, IBM strongly recommends that you upgrade.

Cloud Pak System update python v2.7.17 with IBM OS Image for Red Hat Linux Systems (RHEL 7.9) 3.1.3.0 related OS packages python-2.7.5-90*.

For Cloud Pak System v2.3.0.1, v2.3.1.1, v.2.3.2.0, v2.3.3.0, v2.3.3.1, v.2.3.3.2,

upgrade to Cloud Pak System v2.3.3.3 and apply Cloud Pak System v2.3.3.3 Interim Fix 1 at Fix Central.

For Cloud Pak System v.2.3.3.3

apply Cloud Pak System v2.3.3.3 Interim Fix 1 at Fix Central.

Information on upgrading at : <http://www.ibm.com/support/docview.wss?uid=ibm10887959&gt;

Workarounds and Mitigations

None