IBM Support

Security Bulletin: IBM InfoSphere BigInsights affected by vulnerability in Big SQL component (CVE-2015-1889)

Security Bulletin


Summary

A security vulnerability has been identified in the Big SQL component of InfoSphere BigInsights that could allow a malicious user to gain unauthorized access to the HDFS data in the cluster.

Vulnerability Details

CVE-ID: CVE-2015-1889

DESCRIPTION:
IBM InfoSphere BigInsights contains an unauthorized HDFS data access vulnerability. A remote, authenticated Big SQL user could exploit this vulnerability by issuing a specially-crafted CREATE HADOOP TABLE statement on other users' data located in the HDFS or by executing the HCAT_SYNC_OBJECTS procedure to import a Hive table definition that was defined using Hive's LOCATION clause. To exploit the vulnerability, the malicious user needs to have valid security credentials to connect to Big SQL and the privileges to create a Hadoop table or to execute HCAT_SYNC_OBJECTS procedure.

CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101275 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N

Affected Products and Versions

IBM InfoSphere BigInsights 3.0, 3.0.0.1 and 3.0.0.2

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this vulnerability.
For versions 3.0.0.1 and 3.0.0.2 : Apply the interim fix available from Fix Central
For version 3.0.0.0 : Please contact IBM Technical Support for fix resolution.

Get Notified about Future Security Bulletins

References

Off

Change History

10 April 2015: Original Version Published
16 July 2015: Updated Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSCRJT","label":"IBM Db2 Big SQL"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Big SQL","Platform":[{"code":"PF016","label":"Linux"}],"Version":"3.0;3.0.0.2;3.0.0.1","Edition":"Enterprise Edition;Basic Edition","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
08 April 2021

UID

swg21700654