8.3 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
5.4 Medium
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
21.4%
A privilege escalation vulnerability was addressed in IBM InfoSphere Information Server.
CVEID: CVE-2019-4185 DESCRIPTION: IBM InfoSphere Information Server containers are vulnerable to privilege escalation due to an insecurely configured component.
CVSS Base Score: 8.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/158975>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: version 11.7.1
IBM InfoSphere Information Server on Cloud: version 11.7.1
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
InfoSphere Information Server, | |||
Information Server on Cloud | 11.7 | -- |
--Apply IBM InfoSphere Information Server version 11.7.1.0
--Apply IBM InfoSphere Information Server 11.7.1.0 Fix Pack 1
Perform the following steps to secure your environment:
1. List your kube-system namespace
> kubectl get deployments -n kube-system
2. List the pods in your kube-system namespace
> kubectl get deployments -n kube-system
3. Delete the tiller pod
> kubectl delete deployment tiller-deploy --namespace=kube-system
4. Verify that the tiller pod was deleted by examining the output of command
> kubectl get deployments -n kube-system
Verify that helm is working by executing the following command:
> helm list
The output should contain the list of deployed services.
However, if the following error message is displayed:
Error: configmaps is forbidden: User “system:serviceaccount:kube-system:default” cannot list resource “configmaps” in API group “” in the namespace “kube-system”
Execute the following command:
> kubectl patch deploy --namespace kube-system tiller-deploy -p ‘{“spec”:{“template”:{“spec”:{“serviceAccount”:“tiller”}}}}’
After 10 to 20 seconds, again check the output of “helm list” as indicated above.
NOTE:
After making the above changes, if at a later point in time you need to install a patch, you must deploy the tiller pod before installing the patch. Use the following steps:
1. Deploy tiller
> /usr/local/bin/helm init
2. Verify that the tiller POD is created by executing the command
> kubectl get deployments -n kube-system
You should see tiller-deploy listed in the output.
3. Install the patch
4. Repeat the steps listed above to again secure your environment.
CPE | Name | Operator | Version |
---|---|---|---|
ibm infosphere information server | eq | 11.7.1 |
8.3 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
5.4 Medium
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
21.4%