Security vulnerabilities have been identified in Open Source Apache Hadoop that are dependencies for IBM InfoSphere BigInsights (IBM Open Platform with Apache Hadoop) CVE-2017-3161, CVE-2017-3162
CVE-ID: CVE-2017-3161
Description: Apache Hadoop is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the HDFS web UI. A remote attacker could exploit this vulnerability using the unescaped query parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/125387 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE-ID: CVE-2017-3162
Description: Apache Hadoop could allow a remote attacker to bypass security restrictions, caused by the interaction between HDFS clients and a servlet on the DataNode to browse the HDFS namespace. An attacker could exploit this vulnerability to bypass security restrictions.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/125388 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Principal Product and Version(s)
| Affected Supporting Product and Version
—|—
IBM InfoSphere BigInsights 4.0, 4.1| IBM Open Platform 4.0, 4.1
Install IBM Open Platform with Apache Spark and Apache Hadoop 4.2
Download site:
http://www.ibm.com/analytics/us/en/technology/hadoop/hadoop-trials.html
For installation instructions on how to install the IBM Open Platform with Apache Spark and Apache Hadoop, see Installing IBM Open Platform.
CPE | Name | Operator | Version |
---|---|---|---|
ibm db2 big sql | eq | 4.0.0 | |
ibm db2 big sql | eq | 4.1.0 |