IBM Cloud Private for Data is affected by an issue with runc used by Docker. The vulnerability allows a malicious container to overwrite the host runc binary and thus gain root-level code execution on the host.
CVEID: CVE-2019-5736 DESCRIPTION: Runc could allow a local attacker to execute arbitrary commands on the system, cause by the improper handling of system file descriptors when running containers. An attacker could exploit this vulnerability using a malicious container to overwrite the contents of the host runc binary and execute arbitrary commands with root privileges on the host system.
CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156819> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
IBM Cloud Private for Data 1.1.x using IBM Cloud Private 3.1.1
IBM Cloud Private for Data 1.2.x using IBM Cloud Private 3.1.2
Apply Docker packages provided by IBM Cloud Private as detailed in the IBM Cloud Private Security Bulletin at <https://www-01.ibm.com/support/docview.wss?uid=ibm10871642>
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm cloud pak for data | eq | 1.1.0 | |
ibm cloud pak for data | eq | 1.1.0.1 | |
ibm cloud pak for data | eq | 1.2.0 | |
ibm cloud pak for data | eq | 1.2.1 |