Vulnerability Name:

CVE-2018-20699 (CCN-155499)

Assigned:2018-10-08
Published:2018-10-08
Updated:2019-03-14
Summary:Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go.
CVSS v3 Severity:4.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
4.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-400
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2018-20699

Source: REDHAT
Type: Third Party Advisory
RHSA-2019:0487

Source: XF
Type: UNKNOWN
docker-cve201820699-dos(155499)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/docker/engine/pull/70

Source: CCN
Type: moby GIT Repository
Fix denial of service with large numbers in cpuset-cpus and cpuset-mems #37967

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/moby/moby/pull/37967

Source: CCN
Type: IBM Security Bulletin 6599703 (Db2 On Openshift)
Multiple vulnerabilities affect IBM Db2 On Openshift and IBM Db2 and Db2 Warehouse on Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6991565 (Edge Application Manager)
Open Source Dependency Vulnerability

Source: CCN
Type: IBM Security Bulletin 6991641 (Edge Application Manager)
Open Source Dependency Vulnerability

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-20699

Vulnerable Configuration:Configuration 1:
  • cpe:/a:docker:engine:*:*:*:*:*:*:*:* (Version < 18.09)

    • Configuration 2:
  • cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:db2_warehouse:3.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:3.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:4.0:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201820699
    V
    		CVE-2018-20699
    2023-06-22
    oval:org.opensuse.security:def:7853
    P
    		docker-20.10.23_ce-150000.175.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3243
    P
    		libpython3_6m1_0-3.6.8-2.13 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94873
    P
    		docker-20.10.12_ce-159.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:939
    P
    		Security update for wireshark (Moderate)
    2022-02-14
    oval:org.opensuse.security:def:112164
    P
    		docker-20.10.6_ce-2.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:70024
    P
    		Security update for go1.17 (Moderate)
    2021-12-23
    oval:org.opensuse.security:def:100701
    P
    		 (Important)
    2021-12-22
    oval:org.opensuse.security:def:1295
    P
    		Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP3) (Important)
    2021-12-15
    oval:org.opensuse.security:def:1287
    P
    		Security update for the Linux Kernel (Live Patch 9 for SLE 15 SP3) (Important)
    2021-12-14
    oval:org.opensuse.security:def:93988
    P
    		 (Important)
    2021-12-01
    oval:org.opensuse.security:def:105698
    P
    		docker-20.10.6_ce-2.1 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:69919
    P
    		Security update for openssl-1_1 (Important)
    2021-08-24
    oval:org.opensuse.security:def:101128
    P
    		docker-19.03.15_ce-6.46.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62384
    P
    		docker-19.03.15_ce-6.46.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:116925
    P
    		docker-19.03.5_ce-6.31.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62376
    P
    		docker-19.03.5_ce-6.31.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:107367
    P
    		docker-19.03.5_ce-6.31.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:73359
    P
    		docker on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49326
    P
    		rsyslog on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49380
    P
    		docker on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:73241
    P
    		libvorbis-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:66576
    P
    		opensc on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:66668
    P
    		docker on GA media (Moderate)
    2020-12-01
    oval:com.ubuntu.disco:def:2018206990000000
    V
    		CVE-2018-20699 on Ubuntu 19.04 (disco) - negligible.
    2019-01-12
    oval:com.ubuntu.bionic:def:2018206990000000
    V
    		CVE-2018-20699 on Ubuntu 18.04 LTS (bionic) - negligible.
    2019-01-12
    oval:com.ubuntu.xenial:def:2018206990000000
    V
    		CVE-2018-20699 on Ubuntu 16.04 LTS (xenial) - negligible.
    2019-01-12
    oval:com.ubuntu.bionic:def:201820699000
    V
    		CVE-2018-20699 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-01-11
    oval:com.ubuntu.cosmic:def:2018206990000000
    V
    		CVE-2018-20699 on Ubuntu 18.10 (cosmic) - negligible.
    2019-01-11
    oval:com.ubuntu.cosmic:def:201820699000
    V
    		CVE-2018-20699 on Ubuntu 18.10 (cosmic) - medium.
    2019-01-11
    oval:com.ubuntu.trusty:def:201820699000
    V
    		CVE-2018-20699 on Ubuntu 14.04 LTS (trusty) - medium.
    2019-01-11
    oval:com.ubuntu.xenial:def:201820699000
    V
    		CVE-2018-20699 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-01-11
    BACK
    docker engine *
    redhat enterprise linux server 7.0
    ibm db2 warehouse 3.5 -
    ibm db2 warehouse 4.0 -
    ibm db2 3.5 -
    ibm db2 4.0 -