IBM Support

Security Bulletin: Vulnerabilities exist in Watson Explorer Analytical Components and Watson Content Analytics (CVE-2018-8039, CVE-2017-1788)

Security Bulletin


Summary

Security vulnerabilities have been identified in IBM Watson Explorer Analytical Components, Watson Explorer Foundational Components Annotation Administration Console, and IBM Watson Content Analytics.

Vulnerability Details

CVEID: CVE-2018-8039
DESCRIPTION: Apache CXF could allow a remote attacker to conduct a man-in-the-middle attack. The TLS hostname verification does not work correctly with com.sun.net.ssl interface. An attacker could exploit this vulnerability to launch a man-in-the-middle attack.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/145516 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2017-1788
DESCRIPTION:   IBM WebSphere Application Server 9 installations using Form Login could allow a remote attacker to conducts spoofing attacks. IBM X-Force ID: 137031.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/137031 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

To see which vulnerabilities apply to your product and version, see the applicable row in the following table.

Affected Product

 Affected Versions Applicable Vulnerabilities
Watson Explorer Analytical Components

11.0.0.0 - 11.0.0.3,
11.0.1,
11.0.2.0 - 11.0.2.3

 CVE-2018-8039
Watson Explorer Analytical Components

11.0.0.0 - 11.0.0.3,
11.0.1,
11.0.2.0 - 11.0.2.2

 CVE-2017-1788
Watson Explorer Foundational Components Annotation Administration Console 11.0.0.0 - 11.0.0.3,
11.0.1,
11.0.2.0 - 11.0.2.2
CVE-2018-8039
CVE-2017-1788
Watson Explorer Analytical Components 10.0.0.0 - 10.0.0.2
CVE-2018-8039
CVE-2017-1788
Watson Explorer Foundational Components Annotation Administration Console 10.0.0.0 - 10.0.0.2
CVE-2018-8039
CVE-2017-1788
Watson Content Analytics 3.5.0.0 - 3.5.0.4
CVE-2018-8039
CVE-2017-1788

Remediation/Fixes

For information about fixes, see the applicable row in the following table. The table reflects product names at the time the specified versions were released. To use the links to Fix Central in this table, you must first log in to the IBM Support: Fix Central site at http://www.ibm.com/support/fixcentral/.
 

Affected Product Affected Versions Vulnerability Fix
Watson Explorer Analytical Components 11.0.0.0 - 11.0.0.3, 11.0.1,
11.0.2.0 - 11.0.2.3		 CVE-2018-8039 Upgrade to Watson Explorer Analytical Components Version 11.0.2 Fix Pack 4. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures.
Watson Explorer Analytical Components 11.0.0.0 - 11.0.0.3, 11.0.1,
11.0.2.0 - 11.0.2.2		 CVE-2017-1788 Upgrade to Watson Explorer Analytical Components Version 11.0.2 Fix Pack 3. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures.
Watson Explorer Foundational Components Annotation Administration Console 11.0.0.0 - 11.0.0.3, 11.0.1,
11.0.2.0 - 11.0.2.2
CVE-2018-8039
CVE-2017-1788
 Upgrade to Watson Explorer Foundational Components Annotation Administration Console Version 11.0.2 Fix Pack 4. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures.
Watson Explorer Analytical Components 10.0.0.0 - 10.0.0.2
CVE-2018-8039
CVE-2017-1788
 Important: Perform these steps as a Watson Explorer Analytical Components administrative user, typically esadmin.
  1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
  2. Download the package from Fix Central: interim fix 10.0.0.2-WS-WatsonExplorer-AEAnalytical-IF003 or later and extract the contents of the fix into a temporary directory.
  3. See the Updating WebSphere Liberty used in IBM Watson Explorer Analytical Components for detailed instructions how to apply the fix.
Watson Explorer Foundational Components Annotation Administration Console 10.0.0.0 - 10.0.0.5
CVE-2018-8039
CVE-2017-1788
 Important: Perform these steps as a Watson Explorer Annotation Administration Console administrative user, typically esadmin.
  1. If not already installed, install V10.0 Fix Pack 5 (see the Fix Pack download document).
  2. Download the package from Fix Central: interim fix 10.0.0.5-WS-WatsonExplorer-<edition>FoundationalAAC-IF001 or later and extract the contents of the fix into a temporary directory.
  3. To install the fix, see Updating WebSphere Liberty used in IBM Watson Explorer Analytical Components .
Watson Content Analytics 3.5.0.0 - 3.5.0.4
CVE-2018-8039
CVE-2017-1788
 Important: Perform these steps as a Watson Content Analytics administrative user, typically esadmin.
  1. If not already installed, install V3.5.0.4. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures.
  2. Download the package from Fix Central: interim fix 3.5.0.4-WT-WCA-IF002 and extract the contents of the fix into a temporary directory.
  3. To install the fix, see Updating WebSphere Liberty used in IBM Watson Explorer Analytical Components .

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

03 Dec 2018: Initial Publication
22 May 2020: Updated to include CVE-2017-1788

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

Date Notes
03 Dec 2018 Initial publish for CVE-2018-8039 (# PSIRT - A:13380)
22 May 2020 Add CVE-2017-1788 (# PSIRT - A:10620)

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8NLW","label":"IBM Watson Explorer"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"10.0.0;11.0.0;11.0.1;11.0.2","Edition":"Advanced","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS5RWK","label":"Content Analytics with Enterprise Search"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"3.5","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
22 May 2020

Initial Publish date:
03 December 2018

UID

ibm10742661

Page Feedback