Bad cup of Java leaves nasty taste in IBM Watson’s ‘AI’ mouth: Five security bugs to splat in analytics gear

IBM has issued a security alert over five vulnerabilities in its golden boy Watson analytics system.

Big Blue has issued an update today to clean up a series of security flaws in Watson that stem from the analytics system’s use of Java components. The bugs are present in installations of Watson Explorer and IBM Watson Content Analytics.

In total, IBM says, five CVE-listed vulnerabilities are cleared up by the latest update, ranging from information disclosure flaws to remote takeover vulnerabilities.

The most serious of the five bugs is CVE-2018-2633, a flaw in Java SE, Java SE Embedded, and JRockit JNDI that can allow an attacker with local network access to remotely take control of the targeted box. While details of the flaw were not given, the exploit is said to require user interaction.

“Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products,” the CVE summary of the bug reads.

“Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit”

While IBM notes that while the flaw is particularly difficult for an attacker to exploit, Watson boxes are a particularly valuable target, so admins would be wise to address the bugs post-haste.

Another flaw, CVE-2018-2603, would allow an attacker to crash the targeted Watson system by initiating a denial of service attack. Unlike the remote takeover bug, this flaw can be more easily exploited by an attacker with local network access, but annoyingly Big Blue was skimpy on details of what made this so.

“Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit,” the summary reads.

“Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit.”

The remaining three flaws, CVE-2018-2579, CVE-2018-2588, and CVE-2018-2602, all relate to information disclosure flaws. All of those three would allow an attacker to potentially retrieve sensitive information from the target machine, though Big Blue held off on saying exactly how the flaws were exploited.

Each of the flaws can be patched up by getting the latest version of the Java Runtime. Admins are advised to test and install the patch as soon as possible. ®

Speaking of IBM… If you’re using Big Blue’s BigFix relay server, ensure relay authentication is enabled. “Not doing so exposes a ridiculous amount of information to unauthenticated external attackers, sometimes leading to a full remote compromise,” infosec bod HD Moore warned today.

“Also note than an attacker who has access to the internal network or to an externally connected system with an authenticated agent can still access the BigFix data, even with Relay Authentication enabled. The best path to preventing a compromise through BigFix is to not include any sensitive content in uploaded packages.”

[“source=theregister”]