Security Bulletin: IBM InfoSphere Information Server is vulnerable to retrieval of access credentials by highly privileged users

Summary

A privileged user can access highly sensitive information in Information Server application memory. For example, they could generate a memory dump that could contain highly sensitive information, including access credentials.

Vulnerability Details

CVEID: CVE-2017-1495 DESCRIPTION: IBM InfoSphere Information Server could allow a privileged user to cause a memory dump that could contain highly sensitive information including access credentials.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128693 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: versions 9.1, 11.3, 11.5, and 11.7
IBM InfoSphere Information Server on Cloud: version 11.5

Remediation/Fixes

None

Workarounds and Mitigations

Mitigation Step:

• Utilize strict access control and secured networks to restrict unauthorized users from gaining access to administrative privileges
• Use Administrator Groups to limit access to root/admin
• Enable secure communication (i.e. Kerberos) with source or target applications when available