Security bulletins and fixes

Stay informed about known security vulnerabilities and fixes for IBM Cloud Pak® for AIOps by subscribing to the security bulletins and by reviewing the list of fixed security-related vulnerabilities.

Security bulletins

Subscribe to IBM Cloud Pak for AIOps notifications by following these steps:

  1. Go to the IBM Support site Opens in a new tab.

  2. Scroll to the Support basics section. Then, click the Notification settings card.

  3. Log in to IBM with your IBMid and password to continue.

  4. Enter IBM Cloud Pak for AIOps in the Product lookup field. Click Subscribe.

  5. In the Select document types page, select Security bulletin and Fixes > Security Vulnerability (Sec/Int). You can also select any other document types that you need to keep informed about.

  6. Click Submit.

  7. To configure how you receive notifications, click Delivery preferences in the banner at the beginning of the page. Edit your settings as needed.

Fixed security-related vulnerabilities in version 4.8.1

Review the following table, which lists the fixed reported security-related vulnerabilities with IBM Cloud Pak for AIOps, and any included IBM or third-party software.

Table. Fixed Common Vulnerabilities and Exposures in Version 4.8.1
CVE-ID Issue Description
CVE-2018-1002101 Opens in a new tab Kubernetes volume mounts command execution Kubernetes could allow a remote attacker to execute arbitrary commands on the system, caused by improper input validation when setting up volume mounts on Windows nodes. By sending specially-crafted arguments, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2019-11250 Opens in a new tab Kubernetes client-go library information disclosure Kubernetes could allow a local authenticated attacker to obtain sensitive information, caused by storing credentials in the log by the client-go library. By sending a specially crafted command, an attacker could exploit this vulnerability to obtain sensitive information and use this information to launch further attacks against the affected system.
CVE-2019-11253 Opens in a new tab Kubernetes API server denial of service The Kubernetes API server is vulnerable to a denial of service, caused by a billion laughs attack, caused by an error when parsing YAML manifests. A remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2019-1002100 Opens in a new tab Kubernetes API server denial of service The Kubernetes API server is vulnerable to a denial of service. By sending a specially crafted patch of type "json-patch" requests, a remote authenticated attacker could exploit this vulnerability to consume an excessive amount of resources.
CVE-2019-1002101 Opens in a new tab Kubernetes kubectl cp directory traversal Kubernetes could allow a remote attacker to traverse directories on the system, caused by the improper handling of symlinks. By persuading a victim to use the kubectl cp command or the oc cp command with a malicious container, an attacker could replace or delete arbitrary files on the host machine.
CVE-2020-8555 Opens in a new tab Kubernetes server-side request forgery Kubernetes is vulnerable to server-side request forgery, caused by a flaw in the kube-controller-manager. By using a specially-crafted argument, a remote authenticated attacker could exploit this vulnerability to conduct SSRF attack to leak up to 500 bytes of arbitrary information from unprotected endpoints.
CVE-2020-8558 Opens in a new tab Kubernetes kube-proxy security bypass Kubernetes kube-proxy could allow a remote attacker to bypass security restrictions, caused by a default insecure port setting. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain access to TCP and UDP services on the node(s) which are bound to 127.0.0.1.
CVE-2020-8559 Opens in a new tab Kubernetes kube-apiserver privilege escalation Kubernetes kube-apiserver could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw when multiple clusters share the same certificate authority trusted by the client. By intercepting certain requests and sending a redirect response, an attacker could exploit this vulnerability to compromise other nodes.
CVE-2020-8564 Opens in a new tab Kubernetes information disclosure Kubernetes could allow a local authenticated attacker to obtain sensitive information, caused by a flaw when pull secrets are stored in a Docker config file and loglevel >= 4. By gaining access to the configuration files, an attacker could exploit this vulnerability to obtain full secrets or other credentials in docker, and use this information to launch further attacks against the affected system.
CVE-2020-8565 Opens in a new tab Kubernetes information disclosure Kubernetes could allow a local authenticated attacker to obtain sensitive information, caused by a flaw when kube-apiserver is using logLevel >= 9. By gaining access to the log files, an attacker could exploit this vulnerability to obtain the Kubernetes authorization tokens information, and use this information to launch further attacks against the affected system.
CVE-2021-3903 Opens in a new tab Vim buffer overflowX Vim is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. By sending a specially-crafted input, a local attacker could overflow a buffer and execute arbitrary code or cause a denial of service condition on the system.
CVE-2021-25735 Opens in a new tab Kubernetes kube-apiserver security bypass Kubernetes kube-apiserver could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when performing note updates. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass a Validating Admission Webhook.
CVE-2021-25736 Opens in a new tab Kubernetes kube-proxy for Windows information disclosure Kubernetes kube-proxy for Windows could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when the LoadBalancer controller does not set the "status.loadBalancer.ingress[].ip" field. An attacker could exploit this vulnerability to obtain traffic information forwarded to the local processes listening on the same port ("spec.ports[*].port") as a LoadBalancer Service, and use this information to launch further attacks against the affected system.
CVE-2021-25741 Opens in a new tab Kubernetes security bypass Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a symlink exchange flaw in kubelet. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a container with subpath volume mounts to access files and directories outside of the volume.
CVE-2021-25743 Opens in a new tab Kubernetes kubectl security bypass Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by improper filtering of ANSI escape characters in kubectl. By sending a specially-crafted input, an attacker could exploit this vulnerability to hide all the events, changing the title of the terminal window, and spoof the data.
CVE-2023-2431 Opens in a new tab Kubernetes security bypass Kubernetes could allow a local authenticated attacker to bypass security restrictions, caused by a flaw when using localhost type for seccomp profile but specify an empty profile field. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the seccomp profile enforcement.
CVE-2023-2727 Opens in a new tab Kubernetes security bypass Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when the ImagePolicyWebhook admission plugin is used together with ephemeral containers. By sending a specially crafted request, an attacker could exploit this vulnerability to launch restricted containers.
CVE-2023-2728 Opens in a new tab Kubernetes security bypass Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the mountable secrets policy to launch containers.
CVE-2023-3676 Opens in a new tab Kubernetes privilege escalation Kubernetes could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper input validation on Windows nodes. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain admin privileges.
CVE-2023-3955 Opens in a new tab Kubernetes privilege escalation Kubernetes could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper input validation on Windows nodes. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain admin privileges.
CVE-2023-5528 Opens in a new tab Kubernetes kubelet privilege escalation Kubernetes kubelet could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper input validation in in-tree storage plugin. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated prvileges.
CVE-2023-5954 Opens in a new tab HashiCorp Vault and Vault Enterprise denial of service HashiCorp Vault and Vault Enterprise are vulnerable to a denial of service, caused by an unbounded consumption of memory flaw when triggering a policy check. By sending specially crafted inbound client requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2023-6337 Opens in a new tab HashiCorp Vault and Vault Enterprise denial of service HashiCorp Vault and Vault Enterprise are vulnerable to a denial of service, caused by improper input validation. By sending specially crafted unauthenticated and authenticated HTTP requests, a remote attacker could exploit this vulnerability to cause a memory exhaustion, and results in a denial of service condition.
CVE-2023-37920 Opens in a new tab Certifi unspecified An unspecified error with the removal of e-Tugra root certificate in Certifi has an unknown impact and attack vector.
CVE-2024-0793 Opens in a new tab Kubernetes kube-controller-manager denial of service A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.
CVE-2024-2048 Opens in a new tab HashiCorp Vault and Vault Enterprise security bypass HashiCorp Vault and Vault Enterprise could allow a remote attacker to bypass security restrictions, caused by improper validating the client certificates when configured with a non-CA certificate as trusted certificate. By using a specially crafted certificate, an attacker could exploit this vulnerability to bypass authentication.
CVE-2024-2660 Opens in a new tab HashiCorp Vault and Vault Enterprise security bypass HashiCorp Vault and Vault Enterprise could allow a remote authenticated attacker to bypass security restrictions, caused by improper validation of OCSP responses when one or more OCSP sources were configured. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authentication validation.
CVE-2024-3177 Opens in a new tab Kubernetes kube-apiserver security bypass Kubernetes kube-apiserver could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when using containers, init containers, and ephemeral containers with the envFrom field populated. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the mountable secrets policy enforced by the ServiceAccount admission plugin.
CVE-2024-4032 Opens in a new tab Python CPython unspecified An unspecified error with ipaddress considers some not globally reachable addresses global and vice versa in Python CPython has an unknown impact and attack vector.
CVE-2024-4603 Opens in a new tab OpenSSL denial of service OpenSSL is vulnerable to a denial of service, caused by improper input validation by the EVP_PKEY_param_check() or EVP_PKEY_public_check() function. By parsing a specially crafted DSA public key or DSA parameters, a remote attacker could exploit this vulnerability to cause long delays, and results in a denial of service condition.
CVE-2024-5321 Opens in a new tab Kubernetes kubelet security bypass Kubernetes kubelet could allow a local authenticated attacker to bypass security restrictions, caused by incorrect permissions on Windows containers logs. By sending a specially crafted request, an attacker could exploit this vulnerability to read and modify container logs.
CVE-2024-5798 Opens in a new tab Hashicorp Vault and Vault Enterprise information disclosure Hashicorp Vault and Vault Enterprise could allow a remote authenticated attacker to obtain sensitive information, caused by improper validating the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2024-6468 Opens in a new tab HashiCorp Vault and Vault Enterprise denial of service HashiCorp Vault and Vault Enterprise are vulnerable to a denial of service, caused by improper handling of requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior are set to deny_unauthorized. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the Vault API server to shutdown, and results in a denial of service condition.
CVE-2024-6923 Opens in a new tab Python CPython Email header injection Python CPython is vulnerable to email header injection, caused by the failure to properly quote newlines for email headers when serializing an email message. By persuading a victim to open a specially crafted email, a remote authenticated attacker could exploit this vulnerability to spoof sender identity, gain unauthorized email sending or loss of control over email communication.
CVE-2024-7006 Opens in a new tab LibTIFF denial of service LibTIFF is vulnerable to a denial of service, caused by a NULL pointer dereference flaw tif_dirinfo.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause application to crash.
CVE-2024-7594 Opens in a new tab HashiCorp Vault security bypass HashiCorp Vault could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw with not requiring the valid_principals list to contain a value by default in the SSH secrets engine. By sending a specially crafted request, an attacker could exploit this vulnerability to authenticate as any user on the host.
CVE-2024-8185 Opens in a new tab HashiCorp Vault Community and Vault Enterprise denial of service HashiCorp Vault Community and Vault Enterprise is vulnerable to a denial of service, caused by a flaw when processing Raft Cluster Join requests. By sending specially crafted requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-9180 Opens in a new tab Vault Operators in Root Namespace May Elevate Their Privileges A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.
CVE-2024-9902 Opens in a new tab Red Hat Ansible security bypass Red Hat Ansible could allow a local authenticated attacker to bypass security restrictions, caused by a flaw in the ansible-core user module. By sending a specially crafted request, an attacker could exploit this vulnerability to silently create or replace the contents of any file on any system path and take ownership of it.
CVE-2024-10220 Opens in a new tab Kubernetes kubelet command execution Kubernetes kubelet could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by improper permission validation by the gitRepo volume. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands beyond the container boundary.
CVE-2024-10976 Opens in a new tab PostgreSQL security bypass Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs.
CVE-2024-10978 Opens in a new tab PostgreSQL security bypass PostgreSQL could allow a remote authenticated attacker to bypass security restrictions, caused by an incorrect privilege assignment. By sending a specially crafted request, an attacker could exploit this vulnerability to perform unauthorized view or change to different rows.
CVE-2024-10979 Opens in a new tab PostgreSQL code execution PostgreSQL could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an incorrect control of environment variables flaw. By changing sensitive process environment variables, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-21003 Opens in a new tab Oracle Java SE, Oracle GraalVM Enterprise Edition unspecified An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise related to the JavaFX component could allow a remote attacker to cause low integrity impact.
CVE-2024-21005 Opens in a new tab Oracle Java SE, Oracle GraalVM Enterprise Edition unspecified An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise related to the JavaFX component could allow a remote authenticated attacker to cause low integrity impact.
CVE-2024-21068 Opens in a new tab Oracle Java SE, GraalVM for JDK and GraalVM An unspecified vulnerability in the Oracle Java SE, GraalVM for JDK and GraalVM related to Hotspot component could allow a remote authenticated attacker to cause low integrity impacts.
CVE-2024-21536 Opens in a new tab http-proxy-middleware denial of service http-proxy-middleware is vulnerable to a denial of service, caused by an UnhandledPromiseRejection error thrown by micromatch. By sending specially crafted requests to certain paths, a remote attacker could exploit this vulnerability to kill the Node.js process and crash the server.
CVE-2024-24789 Opens in a new tab Golang Go security bypass Golang Go could allow a local attacker to bypass security restrictions, caused by a flaw with EOCDR comment length handling is inconsistent with other ZIP implementations in the archive/zip package. By sending a specially crafted request, an attacker could exploit this vulnerability to create an zip file with contents that vary depending on the implementation reading the file.
CVE-2024-26458 Opens in a new tab Kerberos 5 denial of service Kerberos 5 is vulnerable to a denial of service, caused by a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-26461 Opens in a new tab Kerberos 5 denial of service Kerberos 5 is vulnerable to a denial of service, caused by a memory leak in /krb5/src/lib/gssapi/krb5/k5sealv3.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-26462 Opens in a new tab Kerberos 5 denial of service Kerberos 5 is vulnerable to a denial of service, caused by a memory leak in /krb5/src/kdc/ndr.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-27043 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by use-after-free in dvbdev of 'media: edia'. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-28863 Opens in a new tab isaacs node-tar denial of service isaacs node-tar is vulnerable to a denial of service, caused by the lack of folders count validation. By sending a specially crafted request, an remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-38564 Opens in a new tab bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE In the Linux kernel, the following vulnerability has been resolved: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE
CVE-2024-39338 Opens in a new tab Axios server-side request forgery Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relative URLs. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CVE-2024-45490 Opens in a new tab libexpat weak security libexpat could provide weaker than expected security, caused by the failure to reject a negative length for XML_ParseBuffer. By providing a negative length value to the XML_ParseBuffer function, a remote attacker could exploit this vulnerability to cause improper handling of XML data.
CVE-2024-46695 Opens in a new tab selinux,smack: don't bypass permissions check in inode_setsecctx hook In the Linux kernel, the following vulnerability has been resolved: selinux,smack: don't bypass permissions check in inode_setsecctx hook
CVE-2024-47874 Opens in a new tab Starlette Denial of service (DoS) via multipart/form-data Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats multipart/form-data parts without a filename as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.
CVE-2024-49949 Opens in a new tab net: avoid potential underflow in qdisc_pkt_len_init() with UFO In the Linux kernel, the following vulnerability has been resolved: net: avoid potential underflow in qdisc_pkt_len_init() with UFO
CVE-2024-50099 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in arm64: probes. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-50110 Opens in a new tab xfrm: fix one more kernel-infoleak in algo dumping In the Linux kernel, the following vulnerability has been resolved: xfrm: fix one more kernel-infoleak in algo dumping
CVE-2024-50142 Opens in a new tab xfrm: validate new SA's prefixlen using SA family when sel.family is unset In the Linux kernel, the following vulnerability has been resolved: xfrm: validate new SA's prefixlen using SA family when sel.family is unset
CVE-2024-50192 Opens in a new tab irqchip/gic-v4: Don't allow a VMOVP on a dying VPE In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v4: Don't allow a VMOVP on a dying VPE
CVE-2024-53122 Opens in a new tab mptcp: cope racing subflow creation in mptcp_rcv_space_adjust In the Linux kernel, the following vulnerability has been resolved: mptcp: cope racing subflow creation in mptcp_rcv_space_adjust
CVE-2024-53861 Opens in a new tab PyJWT security bypass PyJWT could allow a remote attacker to bypass security restrictions, caused by an incorrect string comparison is run for iss checking, resulting in "acb" being accepted for "_abc_". An attacker could exploit this vulnerability to allow issuer field partial matches.
CVE-2024-53985 Opens in a new tab Ruby on Rails Rails HTML Sanitizers cross-site scripting Ruby on Rails Rails HTML Sanitizers is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-53986 Opens in a new tab Ruby on Rails Rails HTML Sanitizers cross-site scripting Ruby on Rails Rails HTML Sanitizers is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-53987 Opens in a new tab Ruby on Rails Rails HTML Sanitizers cross-site scripting Ruby on Rails Rails HTML Sanitizers is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-53988 Opens in a new tab Ruby on Rails Rails HTML Sanitizers cross-site scripting Ruby on Rails Rails HTML Sanitizers is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-53989 Opens in a new tab Ruby on Rails Rails HTML Sanitizers cross-site scripting Ruby on Rails Rails HTML Sanitizers is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-54133 Opens in a new tab Possible Content Security Policy bypass in Action Dispatch Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass

Fixed security-related vulnerabilities in previous versions

Review the following documentation, which includes the list of fixed reported security-related vulnerabilities in previous versions of IBM Cloud Pak for AIOps: