IBM Support

Security Bulletin: A security vulnerability has been identified in lodash shipped with PowerAI

Security Bulletin


Summary

Vulnerability CVE-2019-1010266 in lodash

Vulnerability Details

CVEID:   CVE-2019-1010266
DESCRIPTION:   lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168402 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM PowerAI 1.6.2

Remediation/Fixes

The 1.6.2 ifix has been delivered by an updated package set. Obtaining the latest packages from the WML CE channel will ensure that you have the ifix installed.

Installing from WML CE with ifix from scratch:

As noted, the latest package versions available contain the fixes, so new installations or new conda environments will automatically install the patched versions. Conda strict channel priority is recommended when using WML CE.

$ cat .condarc
channels:
  - https://public.dhe.ibm.com/ibmdl/export/pub/software/server/ibm-ai/conda
  - defaults
channel_priority: strict

conda create -n my_env python=3.6
conda activate my_env
conda install powerai=1.6.2

or

conda create -n my_env python=3.6
conda activate my_env
conda install tensorboard

Updating an existing WML CE installation:

It is recommended that you keep packages up to date. To update all packages to the latest versions, run:

conda update --all

To update individual packages, use the package name:

conda update tensorboard

If you have previously installed WML CE using the powerai meta-package, you can also use that to update to the latest packages.

conda update powerai

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

12 Dec 2019: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SGLMYS","label":"IBM PowerAI"},"Component":"lodash","Platform":[{"code":"PF043","label":"Red Hat"}],"Version":"1.6.2","Edition":"All","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
20 December 2019

UID

ibm11135624

Page Feedback