IBM Support

Security Bulletin: Vulnerability in Python affects Watson Studio (Notebook) (CVE-2018-14647)

Security Bulletin


Summary

Python is vulnerable to a denial of service, caused by a flaw in the elementtree C accelerator. By using a specially-crafted XML document, a remote attacker could exploit this vulnerability to cause a resource exhaustion.

Vulnerability Details

DESCRIPTION: Python’s elementtree C accelerator failed to initialize Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM. 
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/150579 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

  • IBM Watson Studio Paygo 1.0   ( Spark and Default Environments for Python 2.7 and Python 3.5)
  • IBM Watson Studio Enterprise 1.0   (Spark and Default Environments for Python 2.7 and Python 3.5)

Remediation/Fixes

  1. This Vulnerability is remediated in IBM Watson Studio with Python 3.6 support for Spark and Default Environments.
  2. Spark Environment support for Python 2.7 and Python 3.5 is deprecated as of May 15 2019 and become unavailable as of June 15 2019. Users must move their Notebooks to Python 3.6
  3. Default Environment Support for Python 2.7 and Python 3.5 is deprecated as of July 16 2019 and become unavailable as of Aug 28 2019. Users must move their Notebooks to Python 3.6.
  4. Refer to Watson Studio Python 3.6 Announcement for more details. 

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

References

Off

Change History

03 June 2019: Original version published
16 July 2019 : Updated for Python 3.6 Availability

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSCLA9","label":"Watson Studio"},"Component":"Watson Studio (Notebook)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
06 July 2020

UID

ibm10886249