IBM Support

Security Bulletin: Vulnerability in Python affects Watson Studio (Notebook) (CVE-2018-14647)

Security Bulletin


Python is vulnerable to a denial of service, caused by a flaw in the elementtree C accelerator. By using a specially-crafted XML document, a remote attacker could exploit this vulnerability to cause a resource exhaustion.

Vulnerability Details

DESCRIPTION: Python’s elementtree C accelerator failed to initialize Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM. 
CVSS Base Score: 5.3
CVSS Temporal Score: for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

  • IBM Watson Studio Paygo 1.0   ( Spark and Default Environments for Python 2.7 and Python 3.5)
  • IBM Watson Studio Enterprise 1.0   (Spark and Default Environments for Python 2.7 and Python 3.5)


  1. This Vulnerability is remediated in IBM Watson Studio with Python 3.6 support for Spark and Default Environments.
  2. Spark Environment support for Python 2.7 and Python 3.5 is deprecated as of May 15 2019 and become unavailable as of June 15 2019. Users must move their Notebooks to Python 3.6
  3. Default Environment Support for Python 2.7 and Python 3.5 is deprecated as of July 16 2019 and become unavailable as of Aug 28 2019. Users must move their Notebooks to Python 3.6.
  4. Refer to Watson Studio Python 3.6 Announcement for more details. 

Workarounds and Mitigations


Get Notified about Future Security Bulletins



Change History

03 June 2019: Original version published
16 July 2019 : Updated for Python 3.6 Availability

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCLA9","label":"IBM Watson Studio Cloud"},"Component":"Watson Studio (Notebook)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
06 July 2020