IBM InfoSphere BigInsights 4.2 is affected by Open Source vulnerabilities in Hadoop (CVE-2016-3086, CVE-2016-5001) and Solr (CVE-2017-3163)
CVEID: CVE-2016-3086**
DESCRIPTION:** Apache Hadoop could allow a remote attacker to obtain sensitive information, caused by a flaw in the YARN NodeManager. A remote attacker could exploit this vulnerability to obtain the password for credential store provider.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131544 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-5001**
DESCRIPTION:** Apache Hadoop could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the short-circuit reads feature. By using a specially-crafted block token, a local attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131248 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-3163******
DESCRIPTION:**
When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131320> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Principal Product and Version(s)
| Affected Supporting Product and Version
—|—
IBM BigInsights 4.2| IBM Open Platform 4.2
Follow instructions to apply service patch on IOP cluster:
https://developer.ibm.com/hadoop/2015/12/17/iop-patch-management/
The specific patches for Red Hat versions are below:
IOP patches for RHEL 6:
http://ibm-open-platform.ibm.com/repos/IOP/rhel/6/x86_64/4.2.x/Updates/4.2.0.0_20180122/
IOP patches for RHEL 7:
http://ibm-open-platform.ibm.com/repos/IOP/rhel/7/x86_64/4.2.x/Updates/4.2.0.0_20180124/