IBM Support

Security Bulletin: A security vulnerability has been identified in Apache Spark shipped with IBM Operations Analytics Predictive Insights (CVE-2018-17190)

Created by Mark O'Riordan on
Published URL:
https://www.ibm.com/support/pages/node/791139
791139

Security Bulletin


Summary

There is a vulnerability in Apache Spark®, Version 2.0.1 that is used by IBM Operations Analytics Predictive Insights 1.3.6.
IBM Operations Analytics Predictive Insights has addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2018-17190
DESCRIPTION: Apache Spark could allow a remote attacker to execute arbitrary code on the system, caused by the acceptance and running of code on a master host by an unsecured standalone resource manager. If authentication is disabled, an attacker could send a specially crafted request to execute arbitrary code on the system.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/153121 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

 

Also refer to external Disclosure URL specified below
https://seclists.org/oss-sec/2018/q4/151
https://spark.apache.org/security.html

Affected Products and Versions

IBM Operations Analytics Predictive Insights v1.3.6

Remediation/Fixes

For standalone masters, as is used with Predictive Insights, disable the REST API by setting spark.authenticate to true. When you do this, you will also need to set a value for spark.authenticate.secret
That is, set the following in the file $SPARK_HOME/conf/spark-defaults.conf:-

spark.authenticate          true
spark.authenticate.secret   mySecret1234!

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

https://seclists.org/oss-sec/2018/q4/151
https://spark.apache.org/security.html

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

18 December 2018: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSJQQ3","label":"IBM Operations Analytics - Predictive Insights"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"1.3.6","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
18 December 2018

UID

ibm10791139

Page Feedback