High Severity

IBM Security Bulletin: IBM Cloud Functions is affected by two function runtimevulnerabilities

Share this post:

IBM Cloud Functions has addressed the following vulnerabilities. Users of the IBM Cloud Functions service that are using docker actions (https://console.bluemix.net/docs/openwhisk/openwhisk_actions.html#creating-docker-actions) are affected but only if the user’s function has a general security vulnerability. In this context general vulnerability means for example parameter hijacking, remote code execution or wrong usage of “eval()” (generally addressed via secure engineering best practices). With this vulnerability being present, an attacker can exploit an Apache OpenWhisk specific vulnerability to overwrite the user functions code that is then executed in subsequent executions of the same user’s function. The CVE listed below only refer to the ability to overwrite the action code. The general vulnerability which is a pre-condition for these CVEs is out of scope of this document as it is subject to general secure engineering best practices. Exploitation of the issue is only possible if the user included function code is vulnerable. The vulnerability only affects users with action code that is vulnerable in the first place. Other users who followed general secure engineering best practices are not affected.

CVE(s): CVE-2018-11756, CVE-2018-11757

Affected product(s) and affected version(s):

IBM Cloud Functions service by using custom docker images.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10718977
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/147372
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/147371

More stories

Security Bulletin: Db2 vulnerabilities affect IBM Spectrum Protect Server (CVE-2020-4230, CVE-2020-4135, CVE-2020-4204, CVE-2020-4200)

Aug 12, 2020 8:01 pm EDT | High Severity

The IBM Spectrum Protect Server is affected by multiple Db2 vulnerabilities such as privilege escalation, denial of service, and buffer overflow. ...read more


Security Bulletin: Security vulnerability has been identified in BigFix Platform shipped with IBM License Metric Tool.

Aug 12, 2020 8:01 pm EDT | High Severity

BigFix Platform is shipped with IBM License Metric Tool. Information about a security vulnerability affecting BigFix Platform has been published in a security bulletin. ...read more


Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2020-11655, CVE-2020-11656)

Aug 12, 2020 8:00 pm EDT | High Severity

SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled. Or the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement. ...read more