Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM7E1D0BE9901B8493C4805DFFA6E8003BE532D09E56D02BF7659E0159FC5EF9F3
HistoryMay 17, 2023 - 9:55 p.m.

Security Bulletin: IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in Apache Hadoop

2023-05-1721:55:26
www.ibm.com
23

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.086 Low

EPSS

Percentile

94.4%

JSON

Summary

Multiple vulnerabilities in Apache Hadoop used by InfoSphere Information Server were addressed.

Vulnerability Details

CVEID:CVE-2022-26612
**DESCRIPTION:**Apache Hadoop for Windows could allow a remote attacker to bypass security restrictions, caused by the use of an unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes by the unTar function. By following symbolic links, an attacker could exploit this vulnerability to write arbitrary files on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223688 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2018-8009
**DESCRIPTION:**Apache Hadoop could could allow a remote attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing “dot dot slash” sequences (…/), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as “Zip-Slip”
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150617 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2017-15713
**DESCRIPTION:**Apache Hadoop could allow a remote authenticated attacker to obtain sensitive information. By using a specially-crafted file, a remote attacker could exploit this vulnerability to expose private files.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138064 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2022-25168
**DESCRIPTION:**Apache Hadoop could allow a local authenticated attacker to execute arbitrary commands on the system, caused by improper input file name validation by the FileUtil.unTar(File, File) API. By sending specially-crafted arguments, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232807 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2016-3086
**DESCRIPTION:**Apache Hadoop could allow a remote attacker to obtain sensitive information, caused by a flaw in the YARN NodeManager. A remote attacker could exploit this vulnerability to obtain the password for credential store provider.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/131544 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2016-5393
**DESCRIPTION:**Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system. An attacker could exploit this vulnerability to run arbitrary commands with the same privileges as the HDFS service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/120038 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2018-8029
**DESCRIPTION:**Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system. An attacker could exploit this vulnerability to run arbitrary commands as root user.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161812 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**IBM X-Force ID:**220885
**DESCRIPTION:**Apache Hadoop could allow a local attacker to obtain sensitive information, caused by the inclusion of parent’s env vars to child processes. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220885 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
InfoSphere Information Server 11.7

Remediation/Fixes

Product VRMF APAR Remediation
InfoSphere Information Server, InfoSphere Information Server on Cloud 11.7 DT197810 --Apply IBM InfoSphere Information Server version 11.7.1.0
--Apply InfoSphere Information Server version 11.7.1.4
--Apply InfoSphere Information Server 11.7.1.4 Service pack 1

Workarounds and Mitigations

None

Related

ibm 21
veracode 7
prion 7
zdt 2
nessus 2
github 7
redhatcve 4
fedora 3
openvas 9
osv 13
cnvd 1
cve 7
checkpoint_advisories 1
qualysblog 1
redhat 1
oracle 2
ibm
ibm
Security Bulletin: Vulnerabilities in Apache Hadoop affect IBM Operations Analytics - Log Analysis (CVE-2022-26612, CVE-2022-25168)
2022-11-22 12:16:17
Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to information disclosure due to its use of Apache Hadoop (CVE-2017-15713)
2022-07-21 12:52:29
Security Bulletin: Due to use of Spark from Hadoop, IBM Cloud Pak for Multicloud Management Monitoring could allow a remote attacker to traverse directories on the system.
2023-09-05 10:36:31
veracode
veracode
Information Disclosure
2018-01-21 22:47:45
Privilege Escalation
2019-06-03 16:23:40
Arbitrary File Write
2018-06-06 05:41:04
prion
prion
Design/Logic Flaw
2018-01-19 17:29:00
Command injection
2019-05-30 16:29:00
Code injection
2018-11-13 21:29:00
zdt
zdt
Apache Hadoop 0.23.x Private File Disclosure Vulnerability
2018-01-23 00:00:00
Apache Hadoop YARN NodeManager Password Leak Vulnerability
2018-01-25 00:00:00
nessus
nessus
Fedora 28 : hadoop (2018-e5a8b72d0d)
2019-01-03 00:00:00
Oracle Business Intelligence Enterprise Edition (OAS 6.4) (October 2023 CPU)
2023-10-20 00:00:00
github
github
Path traversal in Hadoop
2022-04-08 00:00:21
Privilege escalation vulnerability in Apache Hadoop
2019-05-31 16:09:15
Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main
2018-12-21 17:50:13
redhatcve
redhatcve
CVE-2022-26612
2022-04-11 07:35:21
CVE-2018-8029
2020-01-27 17:09:13
CVE-2018-8009
2018-06-19 21:19:24
fedora
fedora
[SECURITY] Fedora 28 Update: hadoop-2.7.6-4.fc28
2018-07-15 03:34:22
[SECURITY] Fedora 28 Update: hadoop-2.7.7-1.fc28
2018-12-09 21:02:07
[SECURITY] Fedora 29 Update: hadoop-2.7.7-1.fc29
2018-12-09 21:02:57
openvas
openvas
Fedora Update for hadoop FEDORA-2018-e5a8b72d0d
2018-07-15 00:00:00
Apache Hadoop Information Disclosure Vulnerability
2018-01-23 00:00:00
Apache Hadoop Privilege Escalation Vulnerability (CVE-2018-8029)
2019-06-03 00:00:00
osv
osv
CVE-2018-8029
2019-05-30 16:29:01
Privilege escalation vulnerability in Apache Hadoop
2019-05-31 16:09:15
CVE-2017-15713
2018-01-19 17:29:00
cnvd
cnvd
Apache Hadoop Parameter Injection Vulnerability
2022-08-05 00:00:00
cve
cve
CVE-2017-15713
2018-01-19 17:29:00
CVE-2018-8029
2019-05-30 16:29:00
CVE-2022-25168
2022-08-04 15:15:00
checkpoint_advisories
checkpoint_advisories
ZIP Slip Arbitrary File Overwrite Remote Code Execution (CVE-2018-1002200; CVE-2018-1002201; CVE-2018-1002203; CVE-2018-1002204; CVE-2018-1002205; CVE-2018-1002206; CVE-2018-1002207; CVE-2018-1261; CVE-2018-8008; CVE-2018-8009; CVE-2021-43555)
2018-06-06 00:00:00
qualysblog
qualysblog
Oracle Patch Tuesday, October 2023 Security Update Review
2023-10-18 17:11:20
redhat
redhat
(RHSA-2019:3892) Important: Red Hat Fuse 7.5.0 security update
2019-11-14 21:15:16
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.086 Low

EPSS

Percentile

94.4%

JSON
Related for 7E1D0BE9901B8493C4805DFFA6E8003BE532D09E56D02BF7659E0159FC5EF9F3
ibm21veracode7prion7zdt2nessus2github7redhatcve4fedora3openvas9osv13cnvd1cve7checkpoint_advisories1qualysblog1redhat1oracle2