Bad cup of Java leaves nasty taste in IBM Watson's 'AI' mouth: Five security bugs to splat in analytics gear

Worst brew than that time El Reg went on a road trip and stopped at a Denny's


IBM has issued a security alert over five vulnerabilities in its golden boy Watson analytics system.

Big Blue has issued an update today to clean up a series of security flaws in Watson that stem from the analytics system's use of Java components. The bugs are present in installations of Watson Explorer and IBM Watson Content Analytics.

In total, IBM says, five CVE-listed vulnerabilities are cleared up by the latest update, ranging from information disclosure flaws to remote takeover vulnerabilities.

The most serious of the five bugs is CVE-2018-2633, a flaw in Java SE, Java SE Embedded, and JRockit JNDI that can allow an attacker with local network access to remotely take control of the targeted box. While details of the flaw were not given, the exploit is said to require user interaction.

"Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products," the CVE summary of the bug reads.

"Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit"

While IBM notes that while the flaw is particularly difficult for an attacker to exploit, Watson boxes are a particularly valuable target, so admins would be wise to address the bugs post-haste.

Death

IBM to kill off Watson... Workspace from end of February

READ MORE

Another flaw, CVE-2018-2603, would allow an attacker to crash the targeted Watson system by initiating a denial of service attack. Unlike the remote takeover bug, this flaw can be more easily exploited by an attacker with local network access, but annoyingly Big Blue was skimpy on details of what made this so.

"Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit," the summary reads.

"Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit."

The remaining three flaws, CVE-2018-2579, CVE-2018-2588, and CVE-2018-2602, all relate to information disclosure flaws. All of those three would allow an attacker to potentially retrieve sensitive information from the target machine, though Big Blue held off on saying exactly how the flaws were exploited.

Each of the flaws can be patched up by getting the latest version of the Java Runtime. Admins are advised to test and install the patch as soon as possible. ®

Speaking of IBM... If you're using Big Blue's BigFix relay server, ensure relay authentication is enabled. "Not doing so exposes a ridiculous amount of information to unauthenticated external attackers, sometimes leading to a full remote compromise," infosec bod HD Moore warned today.

"Also note than an attacker who has access to the internal network or to an externally connected system with an authenticated agent can still access the BigFix data, even with Relay Authentication enabled. The best path to preventing a compromise through BigFix is to not include any sensitive content in uploaded packages."

Similar topics

Broader topics


Other stories you might like

  • IBM buys Randori to address multicloud security messes
    Big Blue joins the hot market for infosec investment

    RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.

    Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.

    IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.

    Continue reading
  • Compute responsibly: Yet another IT industry sustainability drive
    From greener datacenters to data transparency and 'conscious code', IBM, Dell, others push for better IT ops

    IBM and Dell are the founding members of a new initiative to promote sustainable development in IT by providing a framework of responsible corporate policies for organizations to follow.

    Responsible Computing is described as a membership consortium for technology organizations that aims to get members to sign up to responsible values in key areas relating to infrastructure, code development, and social impact. The program is also operating under the oversight of the Object Management Group.

    According to Object Management Group CEO Bill Hoffman, also the CEO of Responsible Computing, the new initiative aims to "shift thinking and, ultimately behavior" within the IT industry and therefore "bring about real change", based around a manifesto that lays out six domains the program has identified for responsible computing.

    Continue reading
  • IBM ordered to pay $1.6b to BMC
    Big Blue's 'routine eschewal of rules' justifies large penalty, judge says

    IBM has been ordered to pay Houston-based IT firm BMC $1.6 billion for fraud and contract violations because it moved mutual client AT&T from BMC software to IBM software.

    On Monday, US District Judge Gray Miller issued his final judgment [PDF] in the case, which began five years ago and culminated in a bench trial in March.

    For years, IBM had serviced AT&T's mainframe computers which at least since 2007 have relied on BMC software. IBM and BMC in 2008 entered into a contract governing the business relationship between the two companies. And in 2015, the two IT outfits agreed several amendments including an Outsourcing Attachment (OA) that disallowed IBM from moving mutual clients over to its own software.

    Continue reading
  • IBM ends funding for employee retirement clubs
    HR boss admits news may be 'disappointing' for the 'significant' population of former staff

    IBM has confirmed to former staff that it will no longer provide grants for the Retired Employee Club, meaning no more subsidized short trips to the Italian Riviera or golf days.

    The clubs are regionally split. In the UK, for example, there are 28 local organizations that have run short trips or national tournaments including corporate games or group runs.

    Joining a club was free for all Big Blue retirees with at least 10 years of service under their belt, regardless of pension age. For Local Clubs, members were asked to pay a small annual subscription.

    Continue reading

Biting the hand that feeds IT © 1998–2022