Security Bulletin: IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in Apache Hadoop
Discription

## Summary

Multiple vulnerabilities in Apache Hadoop used by InfoSphere Information Server were addressed.

## Vulnerability Details

** CVEID: **[CVE-2022-26612]()
** DESCRIPTION: **Apache Hadoop for Windows could allow a remote attacker to bypass security restrictions, caused by the use of an unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes by the unTar function. By following symbolic links, an attacker could exploit this vulnerability to write arbitrary files on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223688]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

** CVEID: **[CVE-2018-8009]()
** DESCRIPTION: **Apache Hadoop could could allow a remote attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing “dot dot slash” sequences (../), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as “Zip-Slip”
CVSS Base score: 5.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/150617]() for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

** CVEID: **[CVE-2017-15713]()
** DESCRIPTION: **Apache Hadoop could allow a remote authenticated attacker to obtain sensitive information. By using a specially-crafted file, a remote attacker could exploit this vulnerability to expose private files.
CVSS Base score: 4.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138064]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

** CVEID: **[CVE-2022-25168]()
** DESCRIPTION: **Apache Hadoop could allow a local authenticated attacker to execute arbitrary commands on the system, caused by improper input file name validation by the FileUtil.unTar(File, File) API. By sending specially-crafted arguments, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/232807]() for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

** CVEID: **[CVE-2016-3086]()
** DESCRIPTION: **Apache Hadoop could allow a remote attacker to obtain sensitive information, caused by a flaw in the YARN NodeManager. A remote attacker could exploit this vulnerability to obtain the password for credential store provider.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/131544]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

** CVEID: **[CVE-2016-5393]()
** DESCRIPTION: **Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system. An attacker could exploit this vulnerability to run arbitrary commands with the same privileges as the HDFS service.
CVSS Base score: 8.8
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/120038]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

** CVEID: **[CVE-2018-8029]()
** DESCRIPTION: **Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system. An attacker could exploit this vulnerability to run arbitrary commands as root user.
CVSS Base score: 8.8
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161812]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

** IBM X-Force ID: **220885
** DESCRIPTION: **Apache Hadoop could allow a local attacker to obtain sensitive information, caused by the inclusion of parent’s env vars to child processes. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.2
CVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/220885 ]() for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
InfoSphere Information Server| 11.7

## Remediation/Fixes

**Product**| **VRMF**| **APAR**| **Remediation**
—|—|—|—
InfoSphere Information Server, InfoSphere Information Server on Cloud| 11.7| [DT197810]( “DT197810” )| –Apply IBM InfoSphere Information Server version [11.7.1.0]()
–Apply InfoSphere Information Server version [11.7.1.4]( “” )
–Apply InfoSphere Information Server [11.7.1.4 Service pack 1]( “11.7.1.4 Service pack 1” )

## Workarounds and Mitigations

None

##Read More

References

Back to Main
Subscribe for the latest news: