IBM6EC4C5B30A74A65754CA7BC4A06D6762B0B89038AEF0C35E3EEE57844C98F384Security Bulletin: IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-2019-11254)
EPSS
Percentile
42.9%
Summary
IBM Cloud Private is vulnerable to a Kubernetes vulnerability
Vulnerability Details
CVEID:CVE-2019-11254
**DESCRIPTION:**Kubernetes is vulnerable to a denial of service, caused by a flaw in kube-apiserver. By sending a specially-crafted request using YAML payloads, a remote authenticated attacker could exploit this vulnerability to consume excessive CPU cycles.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178935 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Cloud Private | 3.2.1 CD |
| IBM Cloud Private | 3.2.2 CD |
Remediation/Fixes
Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages
- IBM Cloud Private 3.2.1
- IBM Cloud Private 3.2.2
For IBM Cloud Private 3.2.1, apply the March 3.2.1 fix pack then apply the June 3.2.2 fixpack. The June 3.2.2 fixpack includes all fixes in the June 3.2.1 fixpack and updates Kubernetes from version 1.13.12 to 1.16.7 and includes the Kubernetes fixes to address this CVE.
For IBM Cloud Private 3.2.2, apply June fix pack:
For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2, 3.2.0:
- Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2.
- If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance
Workarounds and Mitigations
None
Related
EPSS
Percentile
42.9%