Lucene search

K
ibmIBMF444DCD42C0257A9ACDF3DBCD35D84C3FDD5A2719B4DB1F059DFF18D72AD6137
HistoryMay 24, 2024 - 6:02 p.m.

Security Bulletin: IBM InfoSphere Information Server containers are vulnerable to privilege escalation

2024-05-2418:02:29
www.ibm.com
14
ibm
infosphere
containers
privilege escalation
vulnerability
version 11.7.1.0
fix pack 1
security
patch
kubernetes
deployment

5.4 Medium

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:M/Au:N/C:P/I:P/A:P

8.3 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

21.5%

Summary

A privilege escalation vulnerability was addressed in IBM InfoSphere Information Server.

Vulnerability Details

CVEID: CVE-2019-4185 DESCRIPTION: IBM InfoSphere Information Server containers are vulnerable to privilege escalation due to an insecurely configured component.
CVSS Base Score: 8.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/158975&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: version 11.7.1
IBM InfoSphere Information Server on Cloud: version 11.7.1

Remediation/Fixes

Product VRMF APAR Remediation/First Fix
InfoSphere Information Server,
Information Server on Cloud 11.7 --

--Apply IBM InfoSphere Information Server version 11.7.1.0
--Apply IBM InfoSphere Information Server 11.7.1.0 Fix Pack 1

Workarounds and Mitigations

Perform the following steps to secure your environment:

1. List your kube-system namespace
> kubectl get deployments -n kube-system

image-20190425180554-1

2. List the pods in your kube-system namespace
> kubectl get deployments -n kube-system

image-20190425180646-2

3. Delete the tiller pod
> kubectl delete deployment tiller-deploy --namespace=kube-system

4. Verify that the tiller pod was deleted by examining the output of command
> kubectl get deployments -n kube-system

Verify that helm is working by executing the following command:
> helm list

The output should contain the list of deployed services.
However, if the following error message is displayed:
Error: configmaps is forbidden: User “system:serviceaccount:kube-system:default” cannot list resource “configmaps” in API group “” in the namespace “kube-system”

Execute the following command:
> kubectl patch deploy --namespace kube-system tiller-deploy -p ‘{“spec”:{“template”:{“spec”:{“serviceAccount”:“tiller”}}}}’

After 10 to 20 seconds, again check the output of “helm list” as indicated above.

NOTE:
After making the above changes, if at a later point in time you need to install a patch, you must deploy the tiller pod before installing the patch. Use the following steps:

1. Deploy tiller
> /usr/local/bin/helm init

2. Verify that the tiller POD is created by executing the command
> kubectl get deployments -n kube-system

You should see tiller-deploy listed in the output.

3. Install the patch

4. Repeat the steps listed above to again secure your environment.

Affected configurations

Vulners
Node
ibminfosphere_information_serverMatch11.7.1

5.4 Medium

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:M/Au:N/C:P/I:P/A:P

8.3 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

21.5%

Related for F444DCD42C0257A9ACDF3DBCD35D84C3FDD5A2719B4DB1F059DFF18D72AD6137