IBM1996C2DFB50AE078D8A491C2506F57CF6DA691B92E2DB2758E982E244449ECA4Security Bulletin: Apache Hadoop could allow a remote attacker to obtain sensitive information that could affect IBM Streams.
EPSS
Percentile
67.9%
Summary
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled. Please see more details below.
Vulnerability Details
CVEID:CVE-2018-11765
**DESCRIPTION:**Apache Hadoop could allow a remote attacker to obtain sensitive information, caused by a flaw in Web interfaces when Kerberos authentication is enabled and SPNEGO through HTTP is disabled. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to access some servlets without authentication.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188908 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| InfoSphere Streams | 4.2.1.x |
| InfoSphere Streams | 4.3.1.x |
Remediation/Fixes
Version 4.3.x: Apply 4.3.1 Fix Pack 4 (4.3.1.4) or higher .
Workarounds and Mitigations
None
Related
EPSS
Percentile
67.9%