IBM Support

3.0.0.1 and 3.0.0.2 Security Patch for Big SQL component

Fix Readme


Abstract

IBM InfoSphere BigInsights contains an unauthorized HDFS data access vulnerability. A remote, authenticated Big SQL user could exploit this vulnerability by issuing a specially-crafted CREATE HADOOP TABLE statement on other users' data located in the HDFS or by executing the HCAT_SYNC_OBJECTS procedure to import a Hive table definition that was defined using Hive's LOCATION clause. To exploit the vulnerability, the malicious user needs to have valid security credentials to connect to Big SQL and the privileges to create a Hadoop table or to execute HCAT_SYNC_OBJECTS procedure.

Content

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this vulnerability. For all the affected versions apply the interim fix available from Fix Central.



Interim fix: 3.0.0.1-IM-BigInsights-EE-PPC64_CVE-2015-1889
3.0.0.1-IM-BigInsights-EE-PPC64_CVE-2015-1889

Interim fix: 3.0.0.1-IM-BigInsights-EE-AMD64_CVE-2015-1889
3.0.0.1-IM-BigInsights-EE-AMD64_CVE-2015-1889

Interim fix: 3.0.0.2-IM-BigInsights-EE-PPC64-PSIRT
InfoSphere BigInsights Enterprise Edition V3.0.0.2

Interim fix: 3.0.0.2-IM-BigInsights-EE-AMD64-PSIRT
InfoSphere BigInsights Enterprise Edition V3.0.0.2

Below are the steps required to patch 3.0.0.1 and 3.0.0.2 with jar files.

As the BigInsights admin (biadmin) user –

1. cd $BIGSQL_HOME/lib/java/

2. Backup commoncatalog.jar and bigsql-udf.jar files

3. Copy over the new commoncatalog.jar and bigsql-udf.jar here

4. Make sure to match the permissions and owners of the original jars with new ones

5. cd $HIVE_HOME/lib/


    1. Backup the hive-serde-0.12.0.jar and hive-exec-0.12.0.jar jar

    2. Copy the new hive-serde-0.12.0.jar and hive-exec-0.12.0.jar here


6. Make sure to match the permissions and owners of the original jars with new ones

7. Restart BigInsights

After Big SQL is up


Remove ability for public to execute hcat_sync_objects by connecting to bigsql database and running this command:
revoke execute on procedure syshadoop.hcat_sync_objects from public restrict

[{"Product":{"code":"SSCRJT","label":"IBM Db2 Big SQL"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Big SQL","Platform":[{"code":"PF016","label":"Linux"}],"Version":"3.0.0.2;3.0.0.1","Edition":"Enterprise Edition","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
08 April 2021

UID

swg21902485

Page Feedback