Security Bulletin
Summary
A security vulnerability has been identified in the Big SQL component of InfoSphere BigInsights that could allow a malicious user to gain unauthorized access to the HDFS data in the cluster.
Vulnerability Details
CVE-ID: CVE-2015-1889
DESCRIPTION:
IBM InfoSphere BigInsights contains an unauthorized HDFS data access vulnerability. A remote, authenticated Big SQL user could exploit this vulnerability by issuing a specially-crafted CREATE HADOOP TABLE statement on other users' data located in the HDFS or by executing the HCAT_SYNC_OBJECTS procedure to import a Hive table definition that was defined using Hive's LOCATION clause. To exploit the vulnerability, the malicious user needs to have valid security credentials to connect to Big SQL and the privileges to create a Hadoop table or to execute HCAT_SYNC_OBJECTS procedure.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101275 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N
Affected Products and Versions
IBM InfoSphere BigInsights 3.0, 3.0.0.1 and 3.0.0.2
Remediation/Fixes
The recommended solution is to apply the appropriate fix for this vulnerability.
For versions 3.0.0.1 and 3.0.0.2 : Apply the interim fix available from Fix Central
For version 3.0.0.0 : Please contact IBM Technical Support for fix resolution.
Get Notified about Future Security Bulletins
References
Change History
10 April 2015: Original Version Published
16 July 2015: Updated Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
08 April 2021
UID
swg21700654