Readme file for: IBM Cloud Private 3.2.1.2008 fix pack
Product Release: 3.2.1
Publication Date: 4 September 2020
Last modified Date: 4 September 2020
This fix pack includes fixes to address reported and found problems that affect IBM Cloud Private version 3.2.1.
This 3.2.1.2008 fix pack is intended for environments that use the 1.13.12 version of Kubernetes. If want, or need, to upgrade to a newer version of Kubernetes, you must apply the 3.2.2.2008 fix pack instead of this 3.2.1.2008 fix pack. The 3.2.1.2008 fix pack includes all fixes that are included within the 3.2.2.2008 fix pack, except for fixes that apply to the updated version of Kubernetes.
The following problems are fixed within the fix pack:
Table 1. Fixed problems in IBM Cloud Private 3.2.1.2008 fix pack
| Issue | Category |
Description |
|---|---|---|
| 39229 | Calico | Calico is upgraded to version 3.8.9 to address a security vulnerability. |
| 40048 | Kubernetes | This fix updates the Kubernetes ingress-nginx to address a security vulnerability related to ingress-nginx. |
| 31863 34244 35166 35312 35476 37301 37619 38548 39076 39222 40036 |
Logging | This fix pack includes the following fixes:
|
| 38874 | Metering | This fix updates Lodash version to version 4.17.19 to address security vulnerabilities. |
| 35851 | Security - Identity and Access Management (IAM) | This fix pack includes fixes to resolve security-related vulnerabilities. |
Table 2. Fixed vulnerabilities in IBM Cloud Private 3.2.1.2008 fix pack
| Issue |
CVE-ID |
Description |
|---|---|---|
| 31863 | CVE-2019-1547 | OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the cofactor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation. |
| 31863 | CVE-2019-1549 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork() system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information. |
| 35166 35312 |
CVE-2019-1551 | OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By re-using the DH512 private key, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. |
| 31863 | CVE-2019-1563 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information. |
| 35476 | CVE-2020-7238 | Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. |
| 34244 | CVE-2019-7620 | Elastic Logstash is vulnerable to a denial of service, caused by a flaw in the Beats input plugin. By sending a specially-crafted network packet, a remote attacker could exploit this vulnerability to cause the application to stop responding. Upgrade to the latest version of Logstash (6.8.4, 7.4.1 or later), available from the Elastic Web site. |
| 37619 | CVE-2019-11612 | The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. |
| 35851 | CVE-2019-15604 | Node.js is vulnerable to a denial of service, caused by improper certificate validation. By sending a specially-crafted X.509 certificate, a remote attacker could exploit this vulnerability to cause the process to abort. |
| 35851 | CVE-2019-15605 | Node.js vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. |
| 35851 | CVE-2019-15606 | Node.js could allow a remote attacker to bypass security restrictions, caused by an issue when HTTP header values do not have trailing OWS trimmed. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization based on header value comparisons. |
| 38548 | CVE-2020-7012 | Elastic Kibana could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the Upgrade Assistant. By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code in the context of Kibana process on the host system. |
| 38548 | CVE-2020-7013 | Elastic Kibana could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in TSVB . By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code in the context of Kibana process on the host system. |
| 38548 | CVE-2020-7015 | Elastic Kibana is vulnerable to cross-site scripting, caused by improper validation of user-supplied input in TSVB visualization. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. |
| 39076 | CVE-2020-7614 | Elastic Elasticsearch could allow a remote authenticated attacker to obtain sensitive information, caused by a race condition in the response headers. By sending specially-crafted requests, an attacker could exploit this vulnerability to obtain sensitive information of another user from the response header. |
| 37996 | CVE-2020-7921 | MongoDB Server could allow a remote authenticated attacker to bypass security restrictions, caused by improper serialization of internal state in the authorization subsystem. An attacker could exploit this vulnerability to bypass IP whitelisting protection. |
| 38874 | CVE-2020-8203 | Fixed for the Metering component only. Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system. |
| 40048 | CVE-2020-8553 | Kubernetes ingress-nginx could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when the annotation nginx.ingress.kubernetes.io/auth-type: basic is used. By sending a specially crafted request, an attacker could exploit this vulnerability to create a new Ingress definition and replace the password file. |
| 38544 | CVE-2020-13401 | Docker Docker CE is vulnerable to a man-in-the-middle attack, caused by improper validation of router advertisements. By sending rogue router advertisements, an attacker could exploit this vulnerability using man-in-the-middle techniques to gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. |
| 39229 | CVE-2020-13597 | Clusters using Calico (version 3.14.0 and earlier), Calico Enterprise (version 2.8.2 and earlier), can be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege can reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default. This vulnerability allows an attacker to redirect full or partial network traffic from the node to the compromised pod. |
| 39222 | CVE-2020-14422 | Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. |
The 3.2.1.2008 fix pack is cumulative and includes all fixes that were included in previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1. The list of all fixes that are within this fix pack and the previous fix packs for version 3.2.1 are documented within the IBM Knowledge Center. For more information, see Fixed reported problems.
The process to apply a fix pack is different depending on whether you are applying only the fix pack or you are applying the fix pack as part of installing or upgrading IBM Cloud Private.
Note: After you apply the fix pack or you install or upgrade IBM Cloud Private to the fix pack version, add the root CA certificate to your trust store. With this fix pack, users on macOS 10.15 or newer cannot access the management console until the root CA certificate is added to the trust store. For more information, see:
For detailed instructions to apply the fix pack, see Applying fix packs to your cluster in the IBM Knowledge Center.
Note: You cannot apply the 3.2.1.2008 fix pack to a 3.2.2.x fix pack version.
If you already have IBM Cloud Private installed, you can upgrade IBM Cloud Private from 3.1.0, 3.1.1, 3.1.2, or 3.2.0 to 3.2.1.2008. For more information, see Upgrading in the IBM Knowledge Center.
Review the installation plan for your cluster. For more information, see Planning your cluster in the IBM Knowledge Center.
Then, install and configure IBM Cloud Private. For more information, see Installation and validation.
Review the installation requirements to plan your installation. For more information, see Preparing to install IBM Cloud Private with OpenShift in the IBM Knowledge Center.
Then, install IBM Cloud Private with OpenShift. For more information, see Installing IBM Cloud Private with OpenShift.
Verify that the fix pack is applied. For more information, see Applying fix packs to your cluster in the IBM Knowledge Center.
If you encounter issues due to this fix pack, troubleshoot the issue and reapply this fix pack.
If needed, you can roll back the fix pack changes. For more information about how to roll back a fix pack, see Rolling back a fix pack.
For the list of known issue with IBM Cloud Private 3.2.1, including any known issues that affect fix packs, see Known issues and limitations.
Table 3. List of IBM Cloud Private 3.2.1.2008 fix pack files
| Description | File name |
File extension |
|---|---|---|
| IBM Cloud Private 3.2.1.2008 fix pack readme file | ibm-cloud-private-3.2.1.2008-readme | .html |
| IBM Cloud Private 3.2.1.2008 fix pack | ibm-cloud-private-x86_64-3.2.1.2008 ibm-cloud-private-ppc64le-3.2.1.2008 |
.tar.gz |
© Copyright IBM Corporation 2020
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.