Recently, five vulnerabilities affected Watson Explorer and Content Analytics meant for IBM Watson. Read on to know more about the vulnerabilities…
Recently, five vulnerabilities affected Watson Explorer and Content Analytics meant for IBM Watson. IBM announced fixes for five flaws in Java runtime that leave multiple versions of Watson Explorer and IBM Watson Content Analytics vulnerable to various attacks.
Watson, IBM’s trademark Artificial Intelligence (AI) system, was found to be riddled with critical security vulnerabilities in its platform. The bugs were identified in the IBM Runtime Environment Java Technology Edition, which is used by Watson Explorer and Content Analytics. IBM has addressed the five vulnerabilities by providing a fix to all the affected components.
The Vulnerabilities
IBM’s Product Security Incident Response Team (PSIRT) has posted an alert about the “high severity” bugs affecting various Watson analytics products, consoles, and the content analytics studio. The most severe flaw, CVE-2018-2602, was actually addressed in Oracle’s January 2018 critical-patch update, and then originally patched in an update IBM released in March 2018. IBM updated the advisory throughout the year with information about fixes for additional Watson products and components.
The advisory notes that the Java bug is “difficult to exploit” but allows an “unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit”. “Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit.”
IBM’s PSIRT also put out an alert for a high-severity flaw affecting the IBM Decision Optimization Center, which uses the IBM SDK Java and IBM Runtime Environment Java versions 7 and 8. These are affected by two bugs.
One the two bugs, CVE-2018-12547, is a severe buffer overflow affecting the open-source Eclipse OpenJ9 Java virtual machine. It has a CVSS 3.0 base score of 9.8 out of a possible 10 and could allow a remote attacker to execute arbitrary code on the system or crash an application. “The recommended solution is to download and install the IBM Java SDK as soon as practicable,” IBM notes in its advisory, adding that there are no workarounds or mitigations.
That same OpenJ9 Java bug also affects the IBM Runtime Environment Java used in the IBM CPLEX Optimization Studio and IBM CPLEX Enterprise Server releases 12.9 and earlier. The CPLEX product updates also address a Java SE flaw, CVE-2019-2426, which Oracle patched in January, and a locally exploitable flaw in the IBM SDK, Java Technology Edition Version 8 on the AIX platform.
Other products affected by the trio of bugs include IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 35 and earlier releases, and IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 27 and earlier releases.
Each of the flaws can be patched up by getting the latest version of the Java Runtime. Admins are advised to test and install the patch as soon as possible.