Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBME9F3D99D42460129FBFEB88BDD88CDEB57E505704FE4AF84C8ACC492D6508BDE
HistoryJul 18, 2020 - 11:17 p.m.

Security Bulletin: IBM InfoSphere BigInsights 4.2 is affected by Open Source vulnerabilities in Hadoop (CVE-2016-3086, CVE-2016-5001) and Solr (CVE-2017-3163)

2020-07-1823:17:55
www.ibm.com
17

EPSS

0.005

Percentile

76.8%

JSON

Summary

IBM InfoSphere BigInsights 4.2 is affected by Open Source vulnerabilities in Hadoop (CVE-2016-3086, CVE-2016-5001) and Solr (CVE-2017-3163)

Vulnerability Details

CVEID: CVE-2016-3086**
DESCRIPTION:** Apache Hadoop could allow a remote attacker to obtain sensitive information, caused by a flaw in the YARN NodeManager. A remote attacker could exploit this vulnerability to obtain the password for credential store provider.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131544 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-5001**
DESCRIPTION:** Apache Hadoop could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the short-circuit reads feature. By using a specially-crafted block token, a local attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131248 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-3163******
DESCRIPTION:**
When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131320&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Principal Product and Version(s)

| Affected Supporting Product and Version
—|—
IBM BigInsights 4.2| IBM Open Platform 4.2

Remediation/Fixes

Follow instructions to apply service patch on IOP cluster:

https://developer.ibm.com/hadoop/2015/12/17/iop-patch-management/

The specific patches for Red Hat versions are below:
IOP patches for RHEL 6:
http://ibm-open-platform.ibm.com/repos/IOP/rhel/6/x86_64/4.2.x/Updates/4.2.0.0_20180122/

IOP patches for RHEL 7:
http://ibm-open-platform.ibm.com/repos/IOP/rhel/7/x86_64/4.2.x/Updates/4.2.0.0_20180124/

Related

github 3
prion 3
osv 8
openvas 6
nvd 3
veracode 4
cve 3
cvelist 3
ubuntucve 1
debiancve 1
redhatcve 1
debian 2
nessus 5
zdt 1
ibm 2
redhat 5
github
github
Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop
2022-05-13 01:08:56
Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop
2022-05-17 01:08:00
Improper Limitation of a Pathname ('Path Traversal') in org.apache.solr:solr-core
2018-10-18 16:40:43
prion
prion
Information disclosure
2017-08-30 19:29:00
Design/Logic Flaw
2017-09-05 13:29:00
Path traversal
2017-08-30 14:29:00
osv
osv
CVE-2016-5001
2017-08-30 19:29:00
Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop
2022-05-13 01:08:56
CVE-2017-3163
2017-08-30 14:29:00
openvas
openvas
Apache Hadoop Information Disclosure Vulnerability
2017-08-31 00:00:00
Apache Hadoop Password Exposure Vulnerability
2017-06-27 00:00:00
Apache Solr Inter-Node Communication Vulnerability (SOLR-10031) - Windows
2017-08-31 00:00:00
nvd
nvd
CVE-2016-5001
2017-08-30 19:29:00
CVE-2016-3086
2017-09-05 13:29:00
CVE-2017-3163
2017-08-30 14:29:00
veracode
veracode
Information Disclosure
2016-12-19 05:48:26
Password Leakage
2017-01-10 07:24:41
Directory Traversal
2017-02-16 01:56:42
cve
cve
CVE-2016-5001
2017-08-30 19:29:00
CVE-2016-3086
2017-09-05 13:29:00
CVE-2017-3163
2017-08-30 14:29:00
cvelist
cvelist
CVE-2016-5001
2017-08-30 19:00:00
CVE-2017-3163
2017-08-30 14:00:00
CVE-2016-3086
2017-09-05 13:00:00
ubuntucve
ubuntucve
CVE-2017-3163
2017-08-30 00:00:00
debiancve
debiancve
CVE-2017-3163
2017-08-30 14:29:00
redhatcve
redhatcve
CVE-2017-3163
2019-10-09 12:28:00
debian
debian
[SECURITY] [DLA 1046-1] lucene-solr security update
2017-07-30 15:56:54
[SECURITY] [DSA 4124-1] lucene-solr security update
2018-02-27 19:38:50
nessus
nessus
Debian DLA-1046-1 : lucene-solr security update
2017-07-31 00:00:00
Debian DSA-4124-1 : lucene-solr - security update
2018-02-28 00:00:00
RHEL 6 : eap6-jboss-ec2-eap (RHSA-2018:1451)
2018-05-16 00:00:00
zdt
zdt
Apache Hadoop YARN NodeManager Password Leak Vulnerability
2018-01-25 00:00:00
ibm
ibm
Security Bulletin: IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in Apache Hadoop
2023-05-17 21:55:26
Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerability
2018-12-13 14:45:01
redhat
redhat
(RHSA-2018:1450) Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
2018-05-14 20:15:19
(RHSA-2018:1447) Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
2018-05-14 20:14:21
(RHSA-2018:1449) Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
2018-05-14 20:15:17

EPSS

0.005

Percentile

76.8%

JSON
Related for E9F3D99D42460129FBFEB88BDD88CDEB57E505704FE4AF84C8ACC492D6508BDE
github3prion3osv8openvas6nvd3veracode4cve3cvelist3ubuntucve1debiancve1redhatcve1debian2nessus5zdt1ibm2redhat5