Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to information disclosure due to its use of Apache Hadoop (CVE-2017-15713)

Summary

Vulnerability in Apache Hadoop allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. IBM Cloud Pak for Multicloud Management Monitoring does not use clustering, but it is found that the MapReduce server runs which might allow a malicious insider with access to internal networking to exploit this vulnerability. However being run within a container and a functional user running the service, there are no sensitive files to reference only functional container files.

Vulnerability Details

CVEID:CVE-2017-15713
**DESCRIPTION:**Apache Hadoop could allow a remote authenticated attacker to obtain sensitive information. By using a specially-crafted file, a remote attacker could exploit this vulnerability to expose private files.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138064 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

To address the vulnerability, IBM strongly recommends you to upgrade IBM Cloud Pak for Multicloud Management to 2.3 Fix Pack 5. For upgrading instructions, see <https://www.ibm.com/docs/en/cloud-paks/cp-management/2.3.x?topic=installation-upgrade.&gt;

Workarounds and Mitigations

None