IBM Support

Security Bulletin: A Security Vulnerability could affect IBM® Cloud Private (CVE-2018-10892)

Created by Tod Thorpe on
Published URL:
https://www.ibm.com/support/pages/node/739839
739839

Security Bulletin


Summary

Users of IBM Cloud Private and the IBM Cloud Automation Manager component could be affected by a vulnerability in Docker

Vulnerability Details

CVEID: CVE-2018-10892
DESCRIPTION: Docker could allow a local attacker to bypass security restrictions, caused by the failure to block /proc/acpi pathnames by the default OCI linux spec in oci/defaults{_linux}.go. An attacker could exploit this vulnerability to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/147374 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N)

 

Affected Products and Versions

IBM Cloud Private 2.1.0.x and 3.1.0

 

Remediation/Fixes

Upgrade Docker to version 18.03.1 or higher.

Docker upgrade instructions for IBM Cloud Private:

Ubuntu: https://docs.docker.com/install/linux/docker-ce/ubuntu/

RHEL: https://docs.docker.com/install/linux/docker-ce/centos/

 

Docker upgrade instructions for IBM Cloud Automation Manager component are below:

IBM Cloud Automation Manager Content Runtime deployment installs either Docker CE or Docker EE on the Content Runtime virtual machine based on user selection. Docker CE is installed either using Docker provided convenience scripts or using the installation binary provided by the user. Docker EE is installed using the Docker EE repository URL provided by the user or the installation binary provided by the user.

 

To fix this vulnerability,  you need to upgrade the Docker Engine to 18.03.1 or 18.06.1.  Do not upgrade to 18.09 or higher as the devicemapper storage driver that is used by your content runtime deployment is deprecated in 18.09.    Follow these steps to upgrade the Docker Engine installed on your Content Runtime virtual machine.

 

If you are using Docker Universal Control Plane or Docker Trusted Registry you will not be able to upgrade to 18.x. Refer to release notes provided in https://docs.docker.com/release-notes/docker-ce/  and https://docs.docker.com/ee/engine/release-notes/ for more information. Also refer to https://docs.docker.com/ee/upgrade/ for general information on Docker EE upgrades.

 

Before you upgrade the Docker Engine:

1. Verify the docker engine version that is running on your Content Runtime Virtual Machine. If the version that is running is lower than 18.03.1, then you need to upgrade.

2. Make sure you have no middleware content template deployments or destructions or deletes in “Progress” state. If there are, then wait for them to complete before your start your upgrade.

3. Execute the following command to bring down the pattern manager and software repository containers on the Content Runtime Virtual Machine.

 

cd /root/advanced-content-runtime

docker-compose -f docker-compose.yml down

 

Upgrade Docker CE on Ubuntu

1. Execute the following command to update the apt packages

 

sudo apt-get update

 

2. List the versions available in your repo. Verify if the version you need is in the list.

 

sudo apt-cache madison docker-ce

 

3. Install a specific version by its fully qualified package name

 

sudo apt-get install docker-ce=<VERSION>

 

Where version is the second column from output of the step 3


Example: sudo apt-get install docker-ce=18.06.1~ce~3-0~ubuntu

4. Verify the docker version using the following command


sudo docker version

5. Restart the containers using the following command 

 

cd /root/advanced-content-runtime

docker-compose -f docker-compose.yml up -d

 

6. Verify if the containers are started by executing the following command.

 

sudo docker ps

 

For more details on install and upgrade of Docker CE on Ubuntu refer to https://docs.docker.com/install/linux/docker-ce/ubuntu/

 

 

Upgrade Docker EE on Ubuntu

 

1. Execute the following command to set up the repository for Docker Engine 18.03


sudo add-apt-repository "deb [arch=amd64] <YOUR_DOCKER_EE_REPO_URL>/ubuntu <YOUR_UBUNTU_VERSION> stable-18.03"

Example: sudo add-apt-repository "deb [arch=amd64] https://storebits.docker.com/ee/trial/sub-xxx-xxx-xxx-xxx-xxx/ubuntu xenial stable-18.03"

2. Execute the following command to update the apt packages

sudo apt-get update

3. List the versions available in your repo. Verify if the version you need is in the list.

sudo apt-cache madison docker-ee

4. Install a specific version by its fully qualified package name

 

sudo apt-get install docker-ee=<VERSION>

 

Where version is the second column from output of the step 3

   
Example: sudo apt-get install docker-ee=3:18.03.1~ee~3~3-0~ubuntu

5. Verify the docker version using the following command 

sudo docker version

6. Restart the containers using the following command 

 

cd /root/advanced-content-runtime

docker-compose -f docker-compose.yml up -d

 

7. Verify if the containers are started by executing the following command.

 

sudo docker ps

 

For more details on install and upgrade of Docker EE on Ubuntu refer to https://docs.docker.com/install/linux/docker-ee/ubuntu/

 

Upgrade Docker EE on Red Hat Linux

 

1. Execute the following command to set up the repository for Docker Engine 18.03


 
sudo yum-config-manager --enable docker-ee-stable-18.03

 
2. List the versions available in your repository. Verify if the version you need is in the list. 

sudo yum list docker-ee --showduplicates | sort -r

3. Install the latest docker engine

sudo yum -y install docker-ee
 
4. Verify the docker version using the following command 

sudo docker version

5. Restart the containers using the following command 

 

cd /root/advanced-content-runtime

docker-compose -f docker-compose.yml up -d

 

6. Verify if the containers are started by executing the following command.

 

sudo docker ps


 
For more details on install and upgrade of Docker EE on Red Hat Linux refer to 
https://docs.docker.com/install/linux/docker-ee/rhel/


 
Upgrade Docker installed using binary files

If you installed Docker on Content Runtime virtual machine using the Docker Installation file option during Content 
Runtime deployment, then you need to download the debian or rpm package from Docker and upgrade the package. 

For more information, depending on your operating system and Docker Engine Edition, refer to Upgrade section in 
one of the following link

https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-from-a-package, 
https://docs.docker.com/install/linux/docker-ee/rhel/#install-with-a-package, 
or https://docs.docker.com/install/linux/docker-ee/ubuntu/#install-from-a-package 

For Red Hat execute the following steps

1. Upgrade to new version using

sudo yum -y upgrade <PATH_TO_UPGRADE_PACKAGE>

2. Verify the docker version using 

docker version

3. Restart the containers using the following command 

 

cd /root/advanced-content-runtime

docker-compose -f docker-compose.yml up -d

 

4. Verify if the containers are started by executing the following command.

 

docker ps


 
For Ubuntu execute the following steps

1. Upgrade to new version using

sudo dpkg -i <PATH_TO_UPGRADE_PACKAGE>

2. Verify the docker version using 

docker version

3. Restart the containers using the following command

 

cd /root/advanced-content-runtime

docker-compose -f docker-compose.yml up -d

 

4. Verify if the containers are started by executing the following command.

 

docker ps


 

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

14 November 2018 - original document published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.1.0, 3.1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
14 November 2018

UID

ibm10739839