Security Bulletin
Summary
FreeType Remote Code Execution Vulnerability affects IBM Watson Machine Learning Accelerator on Cloud Pak for Data. The vulnerability has been addressed.
Vulnerability Details
CVEID: CVE-2025-27363
DESCRIPTION: An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: cve-assign@fb.com
CVSS Base score: 8.1
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| Watson Machine Learning Accelerator on Cloud Pak for Data | 4.8.2 - 4.8.6 |
| Watson Machine Learning Accelerator on Cloud Pak for Data | 5.0.0 - 5.0.2 |
Remediation/Fixes
To address the vulnerability, install either of the IBM Watson Machine Learning Accelerator hot fixes:
- IBM Watson Machine Learning Accelerator hot fix 4.8.6.1 for the version 4.8.6
- IBM Watson Machine Learning Accelerator hot fix 5.0.2.1 for the version 5.0.2.
Pre-requisties:
- IBM Watson Machine Learning Accelerator hot fix 4.8.6.1 can only be installed on the top of IBM Watson Machine Learning Accelerator version 4.8.6.
If the current IBM Watson Machine Learning Accelerator version is 4.8.2, 4.8.3, 4.8.4 and 4.8.5, upgrade to CPD 4.8.6 or a later refresh by following the instructions here.
- IBM Watson Machine Learning Accelerator hot fix 5.0.2.1 can only be installed on the top of IBM Watson Machine Learning Accelerator version 5.0.2.
If the current IBM Watson Machine Learning Accelerator version is 5.0.0, 5.0.1, upgrade to CPD 5.0.2 or a later refresh by following the instructions here.
1. Install IBM Watson Machine Learning accelerator hot fix 4.8.6.1
Pre-requisites:
The IBM Watson Machine Learning Accelerator hot fix 4.8.6.1 image has be downloaded and configured in the image registry according to your environment set up
1.1 Put wmla service in maintenance mode
#PROJECT_CPD_INST_OPERANDS=cpd-instance
#oc patch wmla wmla -n ${PROJECT_CPD_INST_OPERANDS} --type merge --patch '{"spec": {"ignoreForMaintenance": true}}'
wmla.spectrumcomputing.ibm.com/wmla patched
1.2 Check wmla service status:
#oc get wmla wmla -o yaml|grep wmlaStatus
wmlaStatus: InMaintenance
1.3 Apply the IBM Watson Machine Learning Accelerator hot fix 4.8.6.1 by editing the deployment wmla-dlpd and wmla-watchdog
#oc edit deploy wmla-dlpd
Replace the wml-accelerator image with the IBM Watson Machine Learning Accelerator 4.8.6.1 hot fix wml-accelerator image and save.
#oc edit deploy wmla-watchdog
Replace the wml-accelerator-watchdog image with the IBM Watson Machine Learning Accelerator 4.8.6.1 hot fix wml-accelerator-watchdog image and save
1.4 Check wmla pods, make sure the wmla-dlpd and wmla-watchdog pods are restarted and Running:
#oc get po|grep wmla
1.5 Check the freetype package version in wmla-dlpd pod and wmla-watchdog pod
You should see something like below:
#oc rsh wmla-dlpd-xxxxx rpm -qa|grep freetype
Defaulted container "dlpd" out of: dlpd, kubectlproxy, kubectlget (init)
freetype-2.10.4-10.el9_5.x86_64
#oc rsh wmla-watchdog-xxxxx rpm -qa|grep freetypeDefaulted container "watchdog" out of: watchdog, kubectlproxy
freetype-2.10.4-10.el9_5.x86_64
2. Install IBM Watson Machine Learning accelerator hot fix 5.0.2.1
Pre-requisites:
The IBM Watson Machine Learning Accelerator hot fix 5.0.2.1 image has be downloaded and configured in the image registry according to your environment set up
2.1 Put wmla service in maintenance mode
#PROJECT_CPD_INST_OPERANDS=cpd-instance
#oc patch wmla wmla -n ${PROJECT_CPD_INST_OPERANDS} --type merge --patch '{"spec": {"ignoreForMaintenance": true}}'
wmla.spectrumcomputing.ibm.com/wmla patched
2.2 Check wmla service status:
#oc get wmla wmla -o yaml|grep wmlaStatus
wmlaStatus: InMaintenance
2.3 Apply the IBM Watson Machine Learning Accelerator hot fix 5.0.2.1 by editing the deployment wmla-dlpd and wmla-watchdog
#oc edit deploy wmla-dlpd
Replace the wml-accelerator image with the IBM Watson Machine Learning Accelerator 5.0.2.1 hot fix wml-accelerator image and save.
#oc edit deploy wmla-watchdog
Replace the wml-accelerator-watchdog image with the IBM Watson Machine Learning Accelerator 5.0.2.1 hot fix wml-accelerator-watchdog image and save
2.4 Check wmla pods, make sure the wmla-dlpd and wmla-watchdog pods are restarted and Running:
#oc get po|grep wmla
2.5 Check the freetype package version in wmla-dlpd pod and wmla-watchdog pod
You should see something like below:
#oc rsh wmla-dlpd-xxxxx rpm -qa|grep freetype
Defaulted container "dlpd" out of: dlpd, kubectlproxy, kubectlget (init)
freetype-2.10.4-10.el9_5.x86_64
#oc rsh wmla-watchdog-xxxxx rpm -qa|grep freetypeDefaulted container "watchdog" out of: watchdog, kubectlproxy
freetype-2.10.4-10.el9_5.x86_64
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
05 May 2025: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
05 May 2025
Initial Publish date:
05 May 2025
UID
ibm17232561