IBM Support

Security Bulletin: IBM Cloud Functions is affected by two function runtimevulnerabilities

Security Bulletin


Summary

IBM Cloud Functions has addressed the following vulnerabilities. Users of the IBM Cloud Functions service that are using docker actions (https://console.bluemix.net/docs/openwhisk/openwhisk_actions.html#creating-docker-actions) are affected but only if the user's function has a general security vulnerability. In this context general vulnerability means for example parameter hijacking, remote code execution or wrong usage of "eval()" (generally addressed via secure engineering best practices). With this vulnerability being present, an attacker can exploit an Apache OpenWhisk specific vulnerability to overwrite the user functions code that is then executed in subsequent executions of the same user's function. The CVE listed below only refer to the ability to overwrite the action code. The general vulnerability which is a pre-condition for these CVEs is out of scope of this document as it is subject to general secure engineering best practices. Exploitation of the issue is only possible if the user included function code is vulnerable. The vulnerability only affects users with action code that is vulnerable in the first place. Other users who followed general secure engineering best practices are not affected.

Vulnerability Details

CVEID: CVE-2018-11756
DESCRIPTION: Apache OpenWhisk could allow a remote attacker to execute arbitrary code on the system, caused by an error in PHP Runtime. An attacker could exploit this vulnerability using a specially crafted parameter to overwrite the source code of a function being executed inside the container and execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/147372 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-11757
DESCRIPTION: Apache OpenWhisk could allow a remote attacker to execute arbitrary code on the system, caused by an error in PHP Runtime. An attacker could exploit this vulnerability using a specially crafted parameter to overwrite the source code of a function being executed inside the container and execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/147371 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM Cloud Functions service by using custom docker images.

Remediation/Fixes

Users that create their custom Docker runtimes to run as IBM Cloud Functions Docker actions, and who pin their Docker runtime image (e.g.,Dockerfile starts with "FROM openwhisk/dockerskeleton:1.0.0") shouldupgrade their Docker tag to the latest available tag and rebuild their actions following the documentation: https://console.bluemix.net/docs/openwhisk/openwhisk_actions.html#creat…. Users who create docker images not based on the IBM Cloud Functions provided docker SDK should use the latest commit Git tag https://github.com/apache/incubator-openwhisk-runtime-docker/commit/891…. All other supported runtimes like php, java, nodejs, swift, python etc do not require action to be taken by the user as the fix has been deployed to all IBM Cloud Functions regions and is applied automatically.

Workarounds and Mitigations

Exploitation of the vulnerability is only possible if the user's function code is vulnerable.

To prevent exploitation of the issue all security engineering best practices should also be followed when creating actions in IBM Cloud Functions. This includesparameter sanitisation, scanning action code and dependencies for vulnerabilities, keeping dependencies up-to-date, scanning API's for vulnerabilities, etc.

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS3M6F","label":"IBM Cloud Functions"},"Component":"","Platform":[{"code":"PF031","label":"Ubuntu"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
29 July 2018

UID

ibm10718977