CVE-2017-1774

Vulnerability

IBM Security Guardium Big Data Intelligence (SonarG) version 3.1 is affected by an information exposure vulnerability. The software discloses sensitive information to unauthorized users who can access the system over the network without any prior authentication or privileges. This affects the default configuration of the affected product version.

Exploitation

An unauthenticated attacker with network access can exploit this vulnerability by sending crafted requests to the vulnerable IBM Security Guardium Big Data Intelligence (SonarG) 3.1 instance. No user interaction or authentication is required. The attack is remote and can be performed over the network, leveraging the disclosed information by IBM X-Force. The information obtained can then be used to mount further attacks on the system.

Impact

Successful exploitation allows an attacker to obtain sensitive information from the affected system. The confidentiality impact is low, as per the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). The attacker can use the disclosed information to facilitate further attacks against the vulnerable environment, potentially escalating the compromise beyond the initial information disclosure.

Mitigation

IBM has addressed this vulnerability in a fix available via the IBM Security Guardium Big Data Intelligence (SonarG) support page. Customers should apply the remediation as described in the vendor advisory [1]. No workarounds or mitigations are provided [1]. The advisory was originally published on February 16, 2018 [1]. This CVE is not listed on the CISA KEV catalog.