Multiple Security Vulnerabilities affect IBM Cloud Private Kubernetes
CVEID: CVE-2019-9513 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a Resource Loop attack. By creating multiple request streams and continually shuffling the priority of the streams, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/164639> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9511 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a Data Dribble attack. By sending a HTTP/2 request by the HTTP/2 protocol stack (HTTP.sys) for an overly large amount of data from a specified resource over multiple streams, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/164638> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9515 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a Settings Flood attack. By sending a stream of SETTINGS frames to the peer, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165181> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9516 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a 0-Length Headers Leak attack. By sending a stream of headers with a 0-length header name and 0-length header value, a remote attacker could consume excessive memory resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165182> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9517 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by an Internal Data Buffering attack. By opening the HTTP/2 window so the peer can send without constraint and sending a stream of requests for a large response object, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165183> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9518 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a Empty Frame Flooding attack. By sending a stream of frames with an empty payload and without the end-of-stream flag, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/164904> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
IBM Cloud Private 3.1.0, 3.1.1, 3.1.2, 3.2.0
Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages
For IBM Cloud Private 3.2.0, apply October fix pack:
For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:
None