Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data - Golang (CVE-2020-15586, CVE-2020-14039) Primary tabs

Summary

Security Vulnerabilities affect IBM Cloud Pak for Data - Golang (CVE-2020-15586, CVE-2020-14039)

Vulnerability Details

CVEID:CVE-2020-15586
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185446 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-14039
**DESCRIPTION:**Go could allow a remote attacker to bypass security restrictions, caused by improper validation on the VerifyOptions.KeyUsages EKU requirements during the X.509 certificate verification. An attacker could exploit this vulnerability to gain access to the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185443 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

• Patch:
  <https://www.ibm.com/support/pages/node/6327429&gt;

• Users of IBM Cloud Pak for Data V2.5 are advised to:
  Apply IBM Cloud Pak for Data V2.5 cpd-2.5.0.0-lite-patch-6

• Users of IBM Cloud Pak for Data V3.0.0 and V3.0.1 are advised to:
  Apply IBM Cloud Pak for Data V3.0.1 cpd-3.0.1-lite-patch-6

Workarounds and Mitigations

None