Operators for BM Cloud Pak for Integration (CP4I) version 2020.2 are affected by vulnerabilities in Go prior to Go version 1.14.7.
CVEID:CVE-2020-15586
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185446 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2020-14039
**DESCRIPTION:**Go could allow a remote attacker to bypass security restrictions, caused by improper validation on the VerifyOptions.KeyUsages EKU requirements during the X.509 certificate verification. An attacker could exploit this vulnerability to gain access to the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185443 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2020-16845
**DESCRIPTION:**Go Language is vulnerable to a denial of service, caused by an infinite read loop in ReadUvarint and ReadVarint in encoding/binary. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186375 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
Asset Repository in IBM Cloud Pak for Integration (CP4I) | Operator 1.0.0 |
Asset Repository in IBM Cloud Pak for Integration (CP4I) | Operator 1.0.1 |
Platform Navigator in IBM Cloud Pak for Integration (CP4I) | Operator 4.0.0 |
Platform Navigator in IBM Cloud Pak for Integration (CP4I) | Operator 4.0.1 |
IBM Cloud Pak for Integration (CP4I) | Operator 1.0.0 |
Upgrade to the IBM Cloud Pak for Integration using the Operator version 1.0.1, Platform Navigator Operator version 4.0.2, and Asset Repository Operator version 1.0.2.
None