IBME4170338D68B16A2EBF0DC8E5DBFF1B46150B819FD904C9522A55A1570B0EF04Security Bulletin: IBM Cloud Pak for Multicloud Management Managed Service Content Runtime is affected by an issue with Docker before 19.03.15.
6.8 Medium
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
60.1%
Summary
IBM Cloud Pak for Multicloud Management Managed Service Content Runtime is affected by an issue with Docker before 19.03.15. as described in CVE-2021-21284 and CVE-2021-21285. If you have IBM Cloud Pak for Multicloud Management Managed Service Content Runtime with docker engine 19.03.14 or earlier installed, upgrade it to 19.03.15.
Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Cloud Pak for Multicloud Management Infrastructure Management | All |
Remediation/Fixes
IBM Cloud Pak for Multicloud Management Managed Service Content Runtime deployment installs either Docker CE or Docker EE on the Content Runtime system based on user selection. Docker CE is installed either using Docker provided convenience scripts or using the installation binary provided by the user. Docker EE is installed using the Docker EE repository URL provided by the user or the installation binary provided by the user.
Before you upgrade the Docker Engine:
1. Run the following command to verify the docker engine version that is running on your Content Runtime system.
docker version
If the version is earlier than 19.03.15, you need to upgrade it to 19.03.15.
2. Make sure you have no middleware content template deployments, destroys or deletes in βProgressβ state. If they are in Progress state, wait for them to complete.
3. Run the following command to bring down the pattern manager and software repository containers on the Content Runtime system.
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml down
Upgrade Docker CE on Ubuntu
1. Run the following command to update the apt packages
sudo apt-get update
2. List the versions available in your repo. Verify whether the version you need is in the list.
sudo apt-cache madison docker-ce
3. Install a specific version by its fully qualified package name.
sudo apt-get install docker-ce=<VERSION_STRING> docker-ce-cli=<VERSION_STRING> containerd.io
where version string is the second column from output of step 2
Example:
sudo apt-get install docker-ce=5:19.03.15~3-0~ubuntu-xenial docker-ce-cli=5:19.03.15~3-0~ubuntu-xenial containerd.io
4. Verify the docker version by running the following command
sudo docker version
5. Restart the containers by running the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
6. Verify whether the containers are started by running the following command.
sudo docker ps
For more details on install and upgrade of Docker CE on Ubuntu, see <https://docs.docker.com/engine/install/ubuntu/>
Upgrade Docker EE on Ubuntu
1. Run the following command to set up the repository for Docker Engine 19.03
sudo add-apt-repository βdeb [arch=amd64] <YOUR_DOCKER_EE_REPO_URL>/ubuntu <YOUR_UBUNTU_VERSION> stable-19.03β
Example: sudo add-apt-repository βdeb [arch=amd64] <https://storebits.docker.com/ee/trial/sub-xxx/ubuntu> xenial stable-19.03β
2. Run the following command to update the apt packages
sudo apt-get update
3. List the versions available in your repo. Verify whether the version you need is in the list.
sudo apt-cache madison docker-ee
4. Install a specific version by its fully qualified package name
sudo apt-get install docker-ee=<VERSION_STRING> docker-ee-cli=<VERSION_STRING> containerd.io
Example: sudo apt-get install docker-ee=5:19.03.15~3-0~ubuntu-xenial docker-ee-cli=5:19.03.15~3-0~ubuntu-xenial containerd.io
5. Verify the docker version by running the following command
sudo docker version
6. Restart the containers by running the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
7. Verify whether the containers are started by running the following command.
sudo docker ps
For more details on install and upgrade of Docker EE on Ubuntu, see https://docs.mirantis.com/containers/v3.1/mcr-deployment-guide/mcr-linux/ubuntu.html
Upgrade Docker EE on Red Hat Linux
1. Run the following command to set up the repository for Docker Engine 19.03
sudo yum-config-manager --enable docker-ee-stable-19.03
2. List the versions available in your repository. Verify whether the version you need is in the list.
sudo yum list docker-ee --showduplicates | sort -r
3. To upgrade 19.03, run the following command:
sudo yum -y install docker-ee-< version_string > docker-ee-cli-< version_string > containerd.io
where version_string is the second column from output of step 2 starting at the first colon (:), up to the first hyphen.
Example: sudo yum -y install docker-ee-19.03.15 docker-ee-cli-19.03.15 containerd.io
4. Verify the docker version by running the following command
sudo docker version
5. Restart the containers by running the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
6. Verify whether the containers are started by running the following command.
sudo docker ps
For more details on install and upgrade of Docker EE on Red Hat Linux, see <https://docs.mirantis.com/containers/v3.1/mcr-deployment-guide/mcr-linux/rhel.html>
Upgrade Docker installed using binary files
If you installed Docker on Content Runtime virtual machine using the Docker Installation file option during Content Runtime deployment, then you need to download the debian or rpm package from Docker and upgrade the package.
For more information, depending on your operating system and Docker Engine Edition, refer to Upgrade section in one of the following links
https://docs.docker.com/engine/install/ubuntu/#install-from-a-package,
Note: You must download and install docker-cli, containerd.io and docker-ce (or docker-ee).
For Ubuntu, do the following steps
1. Upgrade to new version by running the following command
sudo dpkg -i <PATH_TO_UPGRADE_PACKAGE>
2. Verify the docker version by running the following command
docker version
3. Restart the containers by running the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
4. Verify whether the containers are started by running the following command.
docker ps
For Red Hat, do the following steps
1. Upgrade to new version by running the following command
sudo yum -y upgrade <PATH_TO_UPGRADE_PACKAGE>
2. Verify the docker version by running the following command
docker version
3. Restart the containers by running the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
4. Verify whether the containers are started by running the following command.
docker ps
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud pak for multicloud management | eq | 2.2 |
Related
6.8 Medium
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
60.1%