Security Bulletin: IBM Cloud Automation Manager is affected by an issue with API endpoints behind the 'docker cp'

Created by Bhadri Madapusi on Tue, 07/23/2019 - 19:55

Published URL:

https://www.ibm.com/support/pages/node/960227

960227

Security Bulletin

Summary

IBM Cloud Automation Manager is affected by an issue with docker cp command that is vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges.

Vulnerability Details

CVEID: CVE-2018-15664
DESCRIPTION: Docker could allow a remote attacker to traverse directories on the system, caused by symlink-exchange race attacks in docker cp. By allowing the execution of container processes while conducting filesystem operations on the container, an attacker could exploit this vulnerability to gain read and write access to any path on the host.
CVSS Base Score: 9.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/161681 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

IBM Cloud Automation Manager 3.1.x, 3.2.0

Remediation/Fixes

IBM Cloud Automation Manager Content Runtime deployment installs either Docker CE or Docker EE on the Content Runtime system based on user selection. Docker CE is installed either using Docker provided convenience scripts or using the installation binary provided by the user. Docker EE is installed using the Docker EE repository URL provided by the user or the installation binary provided by the user.

This instruction assumes that you already upgraded your docker engine for CVE 2019-5736 https://www.ibm.com/support/docview.wss?uid=ibm10871642. After applying the fix for CVE 2019-5736, you must be running one of the following docker versions: Docker CE 18.06.3 or higher, Docker CE 18.09.2 or higher, Docker EE 18.03.1-ee.6 or higher, Docker EE 18.09.2 or higher

To fix the vulnerability described in CVE 2018-15664, you need to upgrade your

Docker CE version 18.09.x to 18.09.7 or higher
Docker EE version 18.03.x to 18.03.1-ee.9 or higher
Docker EE version 18.09.x to 18.09.7 or higher

Note: If you are using Docker CE 18.06.x, then you must upgrade to Docker CE 19.03. Docker CE 18.06.x is no longer supported.

Before you upgrade the Docker Engine:

1. Execute the following command to verify the docker engine version that is running on your Content Runtime system.

docker version

If the version is lower than Docker CE 18.09.7, Docker EE 18.03.1-ee.9 or Docker EE 18.09.7 then you need to upgrade.

2. Make sure you have no middleware content template deployments or destructions or deletes in “Progress” state. If they are in Progress state, then wait for them to complete.

3. Execute the following command to bring down the pattern manager and software repository containers on the Content Runtime system.

cd /root/advanced-content-runtime

docker-compose -f docker-compose.yml down

Upgrade Docker CE on Ubuntu

1. Execute the following command to update the apt packages

sudo apt-get update

2. List the versions available in your repo. Verify if the version you need is in the list.

sudo apt-cache madison docker-ce

3. Install a specific version by its fully qualified package name.

sudo apt-get install docker-ce=<VERSION_STRING> docker-ce cli=<VERSION_STRING> containerd.io

       where version string is the second column from output of step 2

   Example:

   sudo apt-get install docker-ce= 5:18.09.8~3-0~ubuntu-xenial 
   docker-ce-cli= 5:18.09.8~3-0~ubuntu-xenial containerd.io

4. Verify the docker version using the following command

sudo docker version

5. Restart the containers using the following command

cd /root/advanced-content-runtime

docker-compose -f docker-compose.yml up -d

6. Verify if the containers are started by executing the following command.

sudo docker ps

For more details on install and upgrade of Docker CE on Ubuntu refer to https://docs.docker.com/install/linux/docker-ce/ubuntu/

Upgrade Docker EE on Ubuntu

1. Execute the following command to set up the repository for Docker Engine 18.03 or 18.09. If your current version is Docker EE 18.03, then set up 18.03 repository. If your current version is Docker EE 18.09, then set up 18.09 repository.

sudo add-apt-repository "deb [arch=amd64] <YOUR_DOCKER_EE_REPO_URL>/ubuntu 
<YOUR_UBUNTU_VERSION> stable-18.03"

or

sudo add-apt-repository "deb [arch=amd64] <YOUR_DOCKER_EE_REPO_URL>/ubuntu 
<YOUR_UBUNTU_VERSION> stable-18.09"

Example: sudo add-apt-repository "deb [arch=amd64] 
https://storebits.docker.com/ee/trial/sub-xxx/ubuntu xenial stable-18.03"
Example: sudo add-apt-repository "deb [arch=amd64] 
https://storebits.docker.com/ee/trial/sub-xxx/ubuntu xenial stable-18.09"

2. Execute the following command to update the apt packages

sudo apt-get update

3. List the versions available in your repo. Verify if the version you need is in the list.

    sudo apt-cache madison docker-ee

4. Based on your current docker version, install a specific version by its fully qualified package name

To upgrade 18.03 execute:

sudo apt-get install docker-ee=<VERSION>

To upgrade 18.09 execute:

sudo apt-get install docker-ee=<VERSION_STRING> 
docker-ee-cli=<VERSION_STRING> containerd.io

Where version_string is the second column from output of step 3

Example: sudo apt-get install docker-ee=3:18.03.1~ee~3~3-0~ubuntu

Example: sudo apt-get install docker-ee= 5:18.09.3~3-0~ubuntu-xenial docker-ee-cli= 5:18.09.3~3-0~ubuntu-xenial containerd.io

5. Verify the docker version using the following command

sudo docker version

6. Restart the containers using the following command

cd /root/advanced-content-runtime

docker-compose -f docker-compose.yml up -d

7. Verify if the containers are started by executing the following command.

sudo docker ps

For more details on install and upgrade of Docker EE on Ubuntu refer to 
https://docs.docker.com/install/linux/docker-ee/ubuntu/

Upgrade Docker EE on Red Hat Linux

sudo yum-config-manager --enable docker-ee-stable-18.03 or
sudo yum-config-manager --enable docker-ee-stable-18.09

2. List the versions available in your repository. Verify if the version you need is in the list.

sudo yum list docker-ee --showduplicates | sort -r

3. Based on your current docker version, install either 18.03 or 18.09 docker engine

To upgrade 18.03 execute:

sudo yum -y install docker-ee-<version_string>

To upgrade 18.09 execute:

sudo yum -y install docker-ee-< version_string > 
docker-ee-cli-< version_string > containerd.io

where version_string is the second column from output of step 2 
starting at the first colon (:), up to the first hyphen.

Example: 
sudo yum -y install docker-ee-18.09.3 docker-ee-cli-18.09.3 containerd.io
Example: 
sudo yum -y install docker-ee-18.03.1.ee.7

4. Verify the docker version using the following command

sudo docker version

5. Restart the containers using the following command

cd /root/advanced-content-runtime

docker-compose -f docker-compose.yml up -d

6. Verify if the containers are started by executing the following command.

sudo docker ps

For more details on install and upgrade of Docker EE on Red Hat Linux refer to 
https://docs.docker.com/install/linux/docker-ee/rhel/

Upgrade Docker installed using binary files

If you installed Docker on Content Runtime virtual machine using the Docker Installation file option 
during Content Runtime deployment, then you need to download the debian or rpm package from Docker 
and upgrade the package.

For more information, depending on your operating system and Docker Engine Edition, refer to Upgrade 
section in one of the following links

https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-from-a-package, 
https://docs.docker.com/install/linux/docker-ee/rhel/#install-with-a-package, or 
https://docs.docker.com/install/linux/docker-ee/ubuntu/#install-from-a-package .

If you are using Docker CE 18.06.x, then you must upgrade to Docker CE 19.03. 
Docker CE 18.06.x is no longer supported.

Note: You must download and install docker-cli, containerd.io and docker-ce.

For Ubuntu execute the following steps

1. Upgrade to new version using

sudo dpkg -i <PATH_TO_UPGRADE_PACKAGE>

2. Verify the docker version using

docker version

3. Restart the containers using the following command

cd /root/advanced-content-runtime

docker-compose -f docker-compose.yml up -d

4. Verify if the containers are started by executing the following command.

docker ps

For Red Hat execute the following steps

1. Upgrade to new version using

sudo yum -y upgrade <PATH_TO_UPGRADE_PACKAGE>

2. Verify the docker version using

docker version

3. Restart the containers using the following command

cd /root/advanced-content-runtime

docker-compose -f docker-compose.yml up -d

4. Verify if the containers are started by executing the following command.

docker ps

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Change History

25 July, 2019 - Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS2L37","label":"IBM Cloud Automation Manager"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

Security Bulletin: IBM Cloud Automation Manager is affected by an issue with API endpoints behind the 'docker cp'

Security Bulletin

Summary

Vulnerability Details

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

Get Notified about Future Security Bulletins

References

Change History

Disclaimer

Document Location

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?

Tips

Security Bulletin: IBM Cloud Automation Manager is affected by an issue with API endpoints behind the 'docker cp'

Security Bulletin

Summary

Vulnerability Details

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

Get Notified about Future Security Bulletins

References

Related Information

Change History

Disclaimer

Document Location

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?