High Severity

IBM Security Bulletin: IBM Cloud Functions is affected by two function runtimevulnerabilities

Share this post:

IBM Cloud Functions has addressed the following vulnerabilities. Users of the IBM Cloud Functions service that are using docker actions (https://console.bluemix.net/docs/openwhisk/openwhisk_actions.html#creating-docker-actions) are affected but only if the user’s function has a general security vulnerability. In this context general vulnerability means for example parameter hijacking, remote code execution or wrong usage of “eval()” (generally addressed via secure engineering best practices). With this vulnerability being present, an attacker can exploit an Apache OpenWhisk specific vulnerability to overwrite the user functions code that is then executed in subsequent executions of the same user’s function. The CVE listed below only refer to the ability to overwrite the action code. The general vulnerability which is a pre-condition for these CVEs is out of scope of this document as it is subject to general secure engineering best practices. Exploitation of the issue is only possible if the user included function code is vulnerable. The vulnerability only affects users with action code that is vulnerable in the first place. Other users who followed general secure engineering best practices are not affected.

CVE(s): CVE-2018-11756, CVE-2018-11757

Affected product(s) and affected version(s):

IBM Cloud Functions service by using custom docker images.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10718977
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/147372
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/147371

More stories

IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos Command Center (CVE-2019-2602)

Jun 19, 2019 9:01 am EDT | High Severity

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 8 used by IBM Cognos Command Center. These issues were disclosed as part of the IBM Java SDK updates in January and April 2019. If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code ...read more


IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM)

Jun 19, 2019 9:01 am EDT | High Severity

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 SR10-FP40 and Version 8 SR5-FP30 used by IBM Tivoli Application Dependency Discovery Manager (TADDM). These issues were disclosed as part of the IBM Java SDK updates in April 2019. CVE(s): CVE-2019-2698, CVE-2019-2697, CVE-2019-2602, CVE-2019-2684, CVE-2019-10245 Affected product(s) and affected version(s): TADDM 7.2.2.5 TADDM ...read more


IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM API Connect

Jun 19, 2019 9:01 am EDT | High Severity

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 and IBM® Runtime Environment Java™ Version 8 used by IBM API Connect. IBM API Connect has addressed the applicable CVEs. CVE(s): CVE-2018-11212, CVE-2019-2426, CVE-2019-2449, CVE-2019-2422, CVE-2018-12547, CVE-2018-12549, CVE-2018-1890 Affected product(s) and affected version(s): Affected IBM API Management Affected Versions IBM API Connect 5.0.0.0-5.0.8.6 ...read more