Security Bulletin: Vulnerability in Python affects Watson Machine Learning Services (CVE-2018-14647)

Security Bulletin

Summary

Python is vulnerable to a denial of service, caused by a flaw in the elementtree C accelerator. By using a specially-crafted XML document, a remote attacker could exploit this vulnerability to cause a resource exhaustion.

Vulnerability Details

CVE-ID: CVE-2018-14647

DESCRIPTION: Python’s elementtree C accelerator failed to initialize Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM.

CVSS Base Score: 5.3

CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/150579 for more information

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Watson Machine Learning Lite Plan
IBM Watson Machine Learning Standard Plan
IBM Watson Machine Learning Professional Plan

Remediation/Fixes

This Vulnerability is remediated in IBM Watson Machine Learning Services with Python 3.6 Runtimes support
Watson Machine Learning Services and Framework support for Python 2.7 and Python 3.5 is deprecated as of July 23 2019 and will be removed on Aug 30 2019. Users must use services and frameworks with Python 3.6 Runtimes support.
Refer to Watson Machine Learning Python 3.6 Announcement for more details.

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

https://python-security.readthedocs.io/vuln/elementree-hash-salt.html

https://www.ibm.com/cloud/blog/announcements/python-version-upgrade-in-watson-machine-learning-cloud

Change History

23 July 2019: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCNDT","label":"IBM Watson Machine Learning Service"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Tips

Security Bulletin: Vulnerability in Python affects Watson Machine Learning Services (CVE-2018-14647)