CVE-2017-1768

Vulnerability

IBM Security Guardium Big Data Intelligence (SonarG) version 3.1 generates an error message that includes sensitive details about its environment, users, or associated data [1]. This information leakage occurs in error handling output when the application encounters a fault condition. The vulnerability exists in all deployments of SonarG version 3.1 [1].

Exploitation

An attacker must first authenticate to the application with low-level privileges [1]. After authentication, the attacker can trigger a system error, either by normal interaction with the application that leads to an error or by deliberately causing an invalid request. The application then returns an error page or message that exposes internal configuration details, user identifiers, or other sensitive data [1].

Impact

A successful exploitation allows an authenticated low-privilege attacker to gain information about the environment, users, or associated data [1]. The confidentiality impact is low; there is no impact on integrity or availability [1]. The disclosed information can be used for further targeted attacks against the system or its users.

Mitigation

IBM has not released a software fix as of the publication date of the advisory [1]. The vendor states that there are no workarounds or mitigations available [1]. Users should monitor for an upcoming patch from IBM and limit user access to the application until a fix can be applied [1].