logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: Multiple Vulnerabilities in python 2.6.4 used in OS Image for AIX shipped with IBM Cloud Pak System

Description

## Summary Multiple vulnerabilities have been identified in python 2.6.4 used in OS Image for AIX Systems and OS Image for RedHat Enterprise Linux Systems shipped with IBM Cloud Pak System. OS Image for AIX for IBM Cloud Pak System has addressed vulnerabilities. OS Image for RedHat Enterprise Linux for IBM Cloud Pak System has addressed the applicable CVE-2018-1060 and CVE-2018-1060. ## Vulnerability Details **CVEID: **[CVE-2010-3492](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3492>) **DESCRIPTION: **The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections. CVSS Base score: 5 CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVEID: **[CVE-2011-1521](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521>) **DESCRIPTION: **The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs. CVSS Base score: 6.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/66307](<https://exchange.xforce.ibmcloud.com/vulnerabilities/66307>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) **CVEID: **[CVE-2011-4940](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4940>) **DESCRIPTION: **The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/76525](<https://exchange.xforce.ibmcloud.com/vulnerabilities/76525>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID: **[CVE-2011-4944](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4944>) **DESCRIPTION: **Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file. CVSS Base score: 3.6 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/74393](<https://exchange.xforce.ibmcloud.com/vulnerabilities/74393>) for the current score. CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:P) **CVEID: **[CVE-2012-0845](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0845>) **DESCRIPTION: **SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/73180](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73180>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVEID: **[CVE-2012-1150](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1150>) **DESCRIPTION: **Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/73911](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73911>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVEID: **[CVE-2013-4238](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4238>) **DESCRIPTION: **The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/86383](<https://exchange.xforce.ibmcloud.com/vulnerabilities/86383>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID: **[CVE-2014-1912](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912>) **DESCRIPTION: **Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/90931](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90931>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) **CVEID: **[CVE-2014-9365](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365>) **DESCRIPTION: **The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/99294](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99294>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID: **[CVE-2018-1060](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060>) **DESCRIPTION: **python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service. CVSS Base score: 6.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/145116](<https://exchange.xforce.ibmcloud.com/vulnerabilities/145116>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) **CVEID: **[CVE-2018-1061](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061>) **DESCRIPTION: **python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. CVSS Base score: 6.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/145115](<https://exchange.xforce.ibmcloud.com/vulnerabilities/145115>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) **CVEID: **[CVE-2018-20852](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852>) **DESCRIPTION: **http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169515](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169515>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) **CVEID: **[CVE-2019-9740](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740>) **DESCRIPTION: **An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/158138](<https://exchange.xforce.ibmcloud.com/vulnerabilities/158138>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) **CVEID: **[CVE-2019-9947](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947>) **DESCRIPTION: **An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/158830](<https://exchange.xforce.ibmcloud.com/vulnerabilities/158830>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ## Affected Products and Versions Affected Principal Product and Versions | Affected Product(s) and Versions ---|--- IBM Cloud Pak System 2.3, 2.3.0.1 | IBM OS Image for AIX Systems v 3.0.1.0 to V 3.0.4.0 IBM OS Image for AIX Systems v 2.1.5.0 to V 2.1.14.0 ## Remediation/Fixes A new base OS image is released with the fix. Redeploy the patterns with new base OS images. Image details: AIX72 (TL3 SP3): Version: 3.0.5.0 OS level: 7200-03-03-1914 Python: 2.7.10 AIX71 (TL5 SP4): Version: 2.1.15.0 OS level: 7100-05-04-1914 Python : 2.7.10 For RHEL images, python is provided by RedHat for supported OS level. RHEL7: Version : 3.0.14.0 OS level : 7.7 Python : 2.7.5 RHEL6: Version : 2.1.15.0 OS level : 6.10 Python : 2.6.6 The solution is to upgrade the IBM Cloud Pak System to the following fix pack release: \- V2.3.1.1 Information on upgrading can be found here: <https://www.ibm.com/support/docview.wss?uid=ibm10887959> ## Workarounds and Mitigations None ## Get Notified about Future Security Bulletins Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this. ### References [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" ) [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" ) Off ## Related Information [IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) [IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>) ## Change History 27 December 2019: Updated release information 29 Nov 2019: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. ## Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions. ## Document Location Worldwide [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFQSV","label":"IBM Cloud Pak System Software"},"Component":"OS Image","Platform":[{"code":"PF002","label":"AIX"}],"Version":"2.2;2.3, 2.3.0.1","Edition":"All","Line of Business":{"code":"LOB45","label":"Automation"}}]


Affected Software


CPE Name Name Version
ibm cloud pak system software 2.2
ibm cloud pak system software 2.3
ibm cloud pak system software 2.3.0.1

Related