Security Bulletin: Multiple Vulnerabilities in Ubuntu affect IBM Workload Scheduler 9.5

Security Bulletin

Summary

Vulnerabilities CVE-2019-11484, CVE-2019-11485, CVE-2019-11483, CVE-2019-11482 have been found in Ubuntu and potentially affect container images of IBM Workload Scheduler 9.5

Vulnerability Details

CVEID: CVE-2019-11484
DESCRIPTION: Ubuntu whoopsie package could allow a local authenticated attacker to execute arbitrary code on the system, caused by an integer overflow in the bson_ensure_space function. By using specially crafted crash reports, an attacker could exploit this vulnerability to execute arbitrary code, obtain sensitive information, or cause a denial of service condition on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176573 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-11485
DESCRIPTION: Ubuntu Apport package is vulnerable to a denial of service, caused by the mishandling of lock-file creation. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176572 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-11483
DESCRIPTION: Ubuntu Apport package could allow a local authenticated attacker to bypass security restrictions, caused by the mishandling of crash dumps originating from containers. By sending a specially-crafted request, an attacker could exploit this vulnerability to generate a crash report for a privileged process.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176571 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2019-11482
DESCRIPTION: Ubuntu Apport package could allow a local authenticated attacker to bypass security restrictions, caused by a time of check to time of use (TOCTTOU) flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to cause core files to be written in arbitrary directories.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176570 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

IBM Workload Scheduler Distributed 9.5.0 FP01 and earlier

Remediation/Fixes

APAR IJ24525 has been opened to address Ubuntu vulnerabilities affecting IBM Workload Scheduler.
Apar IJ24525 is already included in IBM Workload Scheduler 9.5 FP02, already available on FixCentral.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Change History

26 Apr 2020: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8GJD","label":"IBM Workload Automation"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

Security Bulletin: Multiple Vulnerabilities in Ubuntu affect IBM Workload Scheduler 9.5