IBM Cloud Automation Manager Advanced Content Runtime is affected by an issue in docker engine before 19.03.11 as described in CVE-2020-13401. If you have IBM Cloud Automation Manager Advanced Content Runtime with docker engine 19.03.10 or lower installed, then upgrade it to 19.03.11 or higher.
Refer to the security bulletin(s) listed in the Remediation/Fixes section
| Affected Product(s) | Version(s) |
| IBM Cloud Automation Manager | 4.x.x |
| IBM Cloud Automation Manager | 3.2.x |
| IBM Cloud Automation Manager | 3.1.x |
CVEID: CVE-2020-13401
DESCRIPTION: An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.
CVSS Base Score: 6.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/182750 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: ( CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L)
IBM Cloud Automation Manager Content Runtime deployment installs either Docker CE or Docker EE on the Content Runtime system based on user selection. Docker CE is installed either using Docker provided convenience scripts or using the installation binary provided by the user. Docker EE is installed using the Docker EE repository URL provided by the user or the installation binary provided by the user.
Before you upgrade the Docker Engine:
1. Execute the following command to verify the docker engine version that is running on your Content Runtime system.
docker version
If the version is lower than 19.03.11 then you need to upgrade it to 19.03.11 or higher.
2. Make sure you have no middleware content template deployments, destroys or deletes in “Progress” state. If they are in Progress state, then wait for them to complete.
3. Execute the following command to bring down the pattern manager and software repository containers on the Content Runtime system.
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml down
Upgrade Docker CE on Ubuntu
1. Execute the following command to update the apt packages
sudo apt-get update
2. List the versions available in your repo. Verify if the version you need is in the list.
sudo apt-cache madison docker-ce
3. Install a specific version by its fully qualified package name.
sudo apt-get install docker-ce=<VERSION_STRING> docker-ce-cli=<VERSION_STRING> containerd.io
where version string is the second column from output of step 2
Example:
sudo apt-get install docker-ce=5:19.03.12~3-0~ubuntu-xenial docker-ce-cli=5:19.03.12~3-0~ubuntu-xenial containerd.io
4. Verify the docker version using the following command
sudo docker version
5. Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
6. Verify if the containers are started by executing the following command.
sudo docker ps
Upgrade Docker EE on Ubuntu
1. Execute the following command to set up the repository for Docker Engine 19.03
sudo add-apt-repository "deb [arch=amd64] <YOUR_DOCKER_EE_REPO_URL>/ubuntu <YOUR_UBUNTU_VERSION> stable-19.03"
2. Execute the following command to update the apt packages
sudo apt-get update
3. List the versions available in your repo. Verify if the version you need is in the list.
sudo apt-cache madison docker-ee
4. Install a specific version by its fully qualified package name
sudo apt-get install docker-ee=<VERSION_STRING> docker-ee-cli=<VERSION_STRING> containerd.io
Example: sudo apt-get install docker-ee=5:19.03.12~3-0~ubuntu-xenial docker-ee-cli=5:19.03.12~3-0~ubuntu-xenial containerd.io
5. Verify the docker version using the following command
sudo docker version
6. Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
7. Verify if the containers are started by executing the following command.
sudo docker ps
Upgrade Docker EE on Red Hat Linux
1. Execute the following command to set up the repository for Docker Engine 19.03
sudo yum-config-manager --enable docker-ee-stable-19.03
2. List the versions available in your repository. Verify if the version you need is in the list.
sudo yum list docker-ee --showduplicates | sort -r
3. To upgrade 19.03 execute:
sudo yum -y install docker-ee-< version_string > docker-ee-cli-< version_string > containerd.io
where version_string is the second column from output of step 2 starting at the first colon (:), up to the first hyphen.
Example: sudo yum -y install docker-ee-19.03.12 docker-ee-cli-19.03.12 containerd.io
4. Verify the docker version using the following command
sudo docker version
5. Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
6. Verify if the containers are started by executing the following command.
sudo docker ps
Upgrade Docker installed using binary files
If you installed Docker on Content Runtime virtual machine using the Docker Installation file option during Content Runtime deployment, then you need to download the debian or rpm package from Docker and upgrade the package.
For more information, depending on your operating system and Docker Engine Edition, refer to Upgrade section in one of the following links
Note: You must download and install docker-cli, containerd.io and docker-ce (or docker-ee).
For Ubuntu execute the following steps
1. Upgrade to new version using
sudo dpkg -i <PATH_TO_UPGRADE_PACKAGE>
2. Verify the docker version using
docker version
3. Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
4. Verify if the containers are started by executing the following command.
docker ps
For Red Hat execute the following steps
1. Upgrade to new version using
sudo yum -y upgrade <PATH_TO_UPGRADE_PACKAGE>
2. Verify the docker version using
docker version
3. Restart the containers using the following command
cd /root/advanced-content-runtime
docker-compose -f docker-compose.yml up -d
4. Verify if the containers are started by executing the following command.
docker ps
References
Off
17 Aug 2020: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS2L37","label":"IBM Cloud Automation Manager"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"4.2.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]