3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
The Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects IBM Infosphere BigInsights.
CVEID: CVE-2015-4000**
DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as “Logjam”.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
IBM InfoSphere BigInsights 1.1.0, 1.2.0, 1.3.0,1.4.0, 2.0, 2.1, 2.1.2, 3.0, 3.0.0.1, 3.0.0.2, 4.0
Update JVM as a fix for all affected releases of BigInsights.
For BI 3.x or earlier
To obtain a fix pack, go to <http://www.ibm.com/developerworks/java/jdk/linux/download.html> and download an updated edition of Java for Linux, **Platform:**64-bit AMD/Opteron/EM64T
BigInsights products use:
Java SE Version 7 for BI 3.x
* IBM SDK, Java Technology Edition, Version 7, Release 1, Service Refresh 3, Fix Pack 1
* IBM SDK, Java Technology Edition, Version 7, Service Refresh 9, Fix Pack 1
* Java SE Version 6 for BI versions earlier than 3.x
* IBM SDK, Java Technology Edition, Version 6.0.1 (J9 VM2.6), Service Refresh 8, Fix Pack 5
* IBM SDK, Java Technology Edition, Version 6, Service Refresh 16, Fix Pack 5
2. To confirm that vulnerability does not exist
After updating the Java version
For BI 4.0
Knox
Ambari
If only using ambari-server setup-security to set SSL self signed (non CA certificate), follow these steps:
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N