Security Bulletin: Vulnerability in dependent component shipped in IBM Development Package for Apache Spark (CVE-2016-4970)

Summary

The developerWorks download for IBM Development Package for Apache Spark is not vulnerable in its default configuration.

However, IBM Development Package for Apache Spark could be vulnerable to a Denial of Service attack if the ‘netty-tcnative’ component is added and configured onto the classpath during application development/deployment, because it provides the interface between Netty and an installed openSSL library.

Vulnerability Details

CVEID: CVE-2016-4970**
DESCRIPTION:** Netty is vulnerable to a denial of service, caused by the improper handling of renegotiation by the OpenSslEngine. If renegotiation is enabled, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122029 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

All IBM Development Package for Apache Spark, v1 releases
All IBM Development Package for Apache Spark, v2.0.0 releases

Remediation/Fixes

IBM Development Package for Apache Spark, v2.1.0.0, or later releases.

An unaffected release is available for download from developerWorks.

Workarounds and Mitigations

Use of the java command-line option “-Djdk.tls.rejectClientInitiatedRenegotiation=true” disabling renegotiation can avoid this issue.