IBMF444DCD42C0257A9ACDF3DBCD35D84C3FDD5A2719B4DB1F059DFF18D72AD6137Security Bulletin: IBM InfoSphere Information Server containers are vulnerable to privilege escalation
5.4 Medium
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:P/I:P/A:P
8.3 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
21.5%
Summary
A privilege escalation vulnerability was addressed in IBM InfoSphere Information Server.
Vulnerability Details
CVEID: CVE-2019-4185 DESCRIPTION: IBM InfoSphere Information Server containers are vulnerable to privilege escalation due to an insecurely configured component.
CVSS Base Score: 8.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/158975>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: version 11.7.1
IBM InfoSphere Information Server on Cloud: version 11.7.1
Remediation/Fixes
| Product | VRMF | APAR | Remediation/First Fix |
|---|---|---|---|
| InfoSphere Information Server, | |||
| Information Server on Cloud | 11.7 | -- |
--Apply IBM InfoSphere Information Server version 11.7.1.0
--Apply IBM InfoSphere Information Server 11.7.1.0 Fix Pack 1
Workarounds and Mitigations
Perform the following steps to secure your environment:
1. List your kube-system namespace
> kubectl get deployments -n kube-system
2. List the pods in your kube-system namespace
> kubectl get deployments -n kube-system
3. Delete the tiller pod
> kubectl delete deployment tiller-deploy --namespace=kube-system
4. Verify that the tiller pod was deleted by examining the output of command
> kubectl get deployments -n kube-system
Verify that helm is working by executing the following command:
> helm list
The output should contain the list of deployed services.
However, if the following error message is displayed:
Error: configmaps is forbidden: User “system:serviceaccount:kube-system:default” cannot list resource “configmaps” in API group “” in the namespace “kube-system”
Execute the following command:
> kubectl patch deploy --namespace kube-system tiller-deploy -p ‘{“spec”:{“template”:{“spec”:{“serviceAccount”:“tiller”}}}}’
After 10 to 20 seconds, again check the output of “helm list” as indicated above.
NOTE:
After making the above changes, if at a later point in time you need to install a patch, you must deploy the tiller pod before installing the patch. Use the following steps:
1. Deploy tiller
> /usr/local/bin/helm init
2. Verify that the tiller POD is created by executing the command
> kubectl get deployments -n kube-system
You should see tiller-deploy listed in the output.
3. Install the patch
4. Repeat the steps listed above to again secure your environment.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm infosphere information server | eq | 11.7.1 |
Related
5.4 Medium
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:P/I:P/A:P
8.3 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
21.5%