Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2844
IBM Cloud Automation Manager is affected by an issue with
API endpoints behind the ‘docker cp'
30 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Cloud Automation Manager
Publisher: IBM
Operating System: Linux variants
Impact/Access: Access Privileged Data -- Existing Account
Modify Arbitrary Files -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-15664
Reference: ASB-2019.0181
ESB-2019.2831
ESB-2019.2198
ESB-2019.2145
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10960227
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM Cloud Automation Manager is affected by an issue with API endpoints behind
the 'docker cp'
Product: IBM Cloud Automation Manager
Software version: All Versions
Operating system(s): Linux
Reference #: 0960227
Security Bulletin
Summary
IBM Cloud Automation Manager is affected by an issue with docker cp command
that is vulnerable to a symlink-exchange attack with Directory Traversal,
giving attackers arbitrary read-write access to the host filesystem with root
privileges.
Vulnerability Details
CVEID: CVE-2018-15664
DESCRIPTION: Docker could allow a remote attacker to traverse directories on
the system, caused by symlink-exchange race attacks in docker cp. By allowing
the execution of container processes while conducting filesystem operations on
the container, an attacker could exploit this vulnerability to gain read and
write access to any path on the host.
CVSS Base Score: 9.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
161681 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Affected Products and Versions
IBM Cloud Automation Manager 3.1.x, 3.2.0
Remediation/Fixes
IBM Cloud Automation Manager Content Runtime deployment installs either Docker
CE or Docker EE on the Content Runtime system based on user selection. Docker
CE is installed either using Docker provided convenience scripts or using the
installation binary provided by the user. Docker EE is installed using the
Docker EE repository URL provided by the user or the installation binary
provided by the user.
This instruction assumes that you already upgraded your docker engine for CVE
2019-5736 https://www.ibm.com/support/docview.wssuid=ibm10871642. After
applying the fix for CVE 2019-5736 , you must be running one of the following
docker versions: Docker CE 18.06.3 or higher, Docker CE 18.09.2 or higher,
Docker EE 18.03.1-ee.6 or higher, Docker EE 18.09.2 or higher
To fix the vulnerability described in CVE 2018-15664, you need to upgrade your
o Docker CE version 18.09.x to 18.09.7 or higher
o Docker EE version 18.03.x to 18.03.1-ee.9 or higher
o Docker EE version 18.09.x to 18.09.7 or higher
Note: If you are using Docker CE 18.06.x, then you must upgrade to Docker CE
19.03. Docker CE 18.06.x is no longer supported.
Before you upgrade the Docker Engine:
1. Execute the following command to verify the docker engine version that is
running on your Content Runtime system.
docker version
If the version is lower than Docker CE 18.09.7, Docker EE 18.03.1-ee.9 or
Docker EE 18.09.7 then you need to upgrade.
2. Make sure you have no middleware content template deployments or
destructions or deletes in "Progress" state. If they are in Progress state,
then wait for them to complete.
3. Execute the following command to bring down the pattern manager and software
repository containers on the Content Runtime system.
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml down
Upgrade Docker CE on Ubuntu
1. Execute the following command to update the apt packages
sudo apt-get update
2. List the versions available in your repo. Verify if the version you need is
in the list.
sudo apt-cache madison docker-ce
3. Install a specific version by its fully qualified package name.
sudo apt-get install docker-ce=<VERSION_STRING> docker-ce cli=<VERSION_STRING>
containerd.io
where version string is the second column from output of step 2
Example:
sudo apt-get install docker-ce= 5:18.09.8~3-0~ubuntu-xenial
docker-ce-cli= 5:18.09.8~3-0~ubuntu-xenial containerd.io
4. Verify the docker version using the following command
sudo docker version
5. Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
6. Verify if the containers are started by executing the following command.
sudo docker ps
For more details on install and upgrade of Docker CE on Ubuntu refer to https:/
/docs.docker.com/install/linux/docker-ce/ubuntu/
Upgrade Docker EE on Ubuntu
1. Execute the following command to set up the repository for Docker Engine
18.03 or 18.09. If your current version is Docker EE 18.03, then set up 18.03
repository. If your current version is Docker EE 18.09, then set up 18.09
repository.
sudo add-apt-repository "deb [arch=amd64] <YOUR_DOCKER_EE_REPO_URL>/ubuntu
<YOUR_UBUNTU_VERSION> stable-18.03"
or
sudo add-apt-repository "deb [arch=amd64] <YOUR_DOCKER_EE_REPO_URL>/ubuntu
<YOUR_UBUNTU_VERSION> stable-18.09"
Example: sudo add-apt-repository "deb [arch=amd64]
https://storebits.docker.com/ee/trial/sub-xxx/ubuntu xenial stable-18.03"
Example: sudo add-apt-repository "deb [arch=amd64]
https://storebits.docker.com/ee/trial/sub-xxx/ubuntu xenial stable-18.09"
2. Execute the following command to update the apt packages
sudo apt-get update
3. List the versions available in your repo. Verify if the version you need is
in the list.
sudo apt-cache madison docker-ee
4. Based on your current docker version, install a specific version by its
fully qualified package name
To upgrade 18.03 execute:
sudo apt-get install docker-ee=<VERSION>
To upgrade 18.09 execute:
sudo apt-get install docker-ee=<VERSION_STRING>
docker-ee-cli=<VERSION_STRING> containerd.io
Where version_string is the second column from output of step 3
Example: sudo apt-get install docker-ee =3:18.03.1~ee~3~3-0~ubuntu
Example: sudo apt-get install docker-ee= 5:18.09.3~3-0~ubuntu-xenial
docker-ee-cli= 5:18.09.3~3-0~ubuntu-xenial containerd.io
5. Verify the docker version using the following command
sudo docker version
6. Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
7. Verify if the containers are started by executing the following command.
sudo docker ps
For more details on install and upgrade of Docker EE on Ubuntu refer to
https://docs.docker.com/install/linux/docker-ee/ubuntu/
Upgrade Docker EE on Red Hat Linux
1. Execute the following command to set up the repository for Docker Engine
18.03 or 18.09. If your current version is Docker EE 18.03, then set up 18.03
repository. If your current version is Docker EE 18.09, then set up 18.09
repository.
sudo yum-config-manager --enable docker-ee-stable-18.03 or
sudo yum-config-manager --enable docker-ee-stable-18.09
2. List the versions available in your repository. Verify if the version you
need is in the list.
sudo yum list docker-ee --showduplicates | sort -r
3. Based on your current docker version, install either 18.03 or 18.09 docker
engine
To upgrade 18.03 execute:
sudo yum -y install docker-ee-<version_string>
To upgrade 18.09 execute:
sudo yum -y install docker-ee-< version_string >
docker-ee-cli-< version_string > containerd.io
where version_string is the second column from output of step 2
starting at the first colon (:), up to the first hyphen.
Example:
sudo yum -y install docker-ee-18.09.3 docker-ee-cli-18.09.3 containerd.io
Example:
sudo yum -y install docker-ee-18.03.1.ee.7
4. Verify the docker version using the following command
sudo docker version
5. Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
6. Verify if the containers are started by executing the following command.
sudo docker ps
For more details on install and upgrade of Docker EE on Red Hat Linux refer to
https://docs.docker.com/install/linux/docker-ee/rhel/
Upgrade Docker installed using binary files
If you installed Docker on Content Runtime virtual machine using the Docker Installation file option
during Content Runtime deployment, then you need to download the debian or rpm package from Docker
and upgrade the package.
For more information, depending on your operating system and Docker Engine Edition, refer to Upgrade
section in one of the following links
https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-from-a-package,
https://docs.docker.com/install/linux/docker-ee/rhel/#install-with-a-package, or
https://docs.docker.com/install/linux/docker-ee/ubuntu/#install-from-a-package .
If you are using Docker CE 18.06.x, then you must upgrade to Docker CE 19.03.
Docker CE 18.06.x is no longer supported.
Note: You must download and install docker-cli, containerd.io and docker-ce.
For Ubuntu execute the following steps
1. Upgrade to new version using
sudo dpkg -i <PATH_TO_UPGRADE_PACKAGE>
2. Verify the docker version using
docker version
3. Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
4. Verify if the containers are started by executing the following command.
docker ps
For Red Hat execute the following steps
1. Upgrade to new version using
sudo yum -y upgrade <PATH_TO_UPGRADE_PACKAGE>
2. Verify the docker version using
docker version
3. Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
4. Verify if the containers are started by executing the following command.
docker ps
Workarounds and Mitigations
None
Change History
25 July, 2019 - Original version published
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXUDkzGaOgq3Tt24GAQj+ig//RBMIX+FCxCEoFkZR2Fwmv8OdFMhI/Z0c
vU4i4nXLCwsUnH4tv3WyxcsdCs4jA13NncDXK97pTAQNXe5YLpTOQsI6twccVdd8
tBJ9+t29Q6wASvd9gyFocteDLDH22qIxAxHgGBaiaZ1n9YPR9HE6hDPo86tdoe1N
fgxjuStDHaCEsRzuljYMFRsr1j06lqAFf8COPKXsPyOdYEfP7BIXzKthHSoiVByV
uyx/pHwSmWB0iPZnWish4XHHXwCNQR1Wg36TlnOy+fTanx7hCxvnsO668uMcfOgn
i9dRiATgZgLlpey/wfk6N0qHRP63cytxqHEDCH48kvp548UEz0WYxi36P7Mq5IfS
KHC71u9x8ghPme4uTr0O9PvUDVq/kUsdm8SBeGffdlzqg1us1xsTkuXE2LJDniC3
tRjUfOadoDQdd5ML7YNxN+mvudsFSEnQWO/qpEVu2EDwDWZ6Y/QJ42S2kxKT4mxE
u9EW9k/dw/QItu7GbsgOtJjaMI9KUGw2XWAteYRRx0b88XC2zsVC12JBaZN5HPRo
OPu/jyXrE3ERhPzmns9dVo7wg3RMHgwt6i71kzfQbUOpQ44oD1hHSbJwzmMNkJBg
gS5MZsv3rt9KVcoiEw9ToJmrHJp1wWGW+Eq+1g9OALxuIPAiYfZpXaMa7Jz32ujw
vWSau4Wy8lA=
=HVkm
-----END PGP SIGNATURE-----