cbcvebase.
CVE-2023-27290
published 2023-03-03

CVE-2023-27290: Docker based datastores for IBM Instana (IBM Observability with Instana 239-0 through 239-2, 241-0 through 241-2, and 243-0) do not currently require…

PriorityP270critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
8.57%
94.4th percentile
Docker based datastores for IBM Instana (IBM Observability with Instana 239-0 through 239-2, 241-0 through 241-2, and 243-0) do not currently require authentication. Due to this, an attacker within the network could access the datastores with read/write access. IBM X-Force ID: 248737.

Affected

5 ranges
VendorProductVersion rangeFixed in
ibmobservability_with_instana
ibmobservability_with_instana>= 239-0 < 239-2239-2
ibmobservability_with_instana239-0 – 239-2
ibmobservability_with_instana>= 241-0 < 241-2241-2
ibmobservability_with_instana241-0 – 241-2

Detection & IOCsextracted from sources · hover to see the quote

port8123
port26257
port9200
port9092
port8181
port9090
port2181
urlhttp://{host}:8123/?query=SELECT%20*%20FROM%20system.tables
urlhttp://{host}:9200/_cat/indices?v
urlhttp://{host}:9090/metrics
commandkafka-topics --bootstrap-server {host}:{port} --list --exclude-internal
commandecho dump |ncat {host} {port}
commandcockroach sql --host {host}:{port} --insecure
commandwget -O system_tables.csv "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"
  • Detect unauthenticated access attempts to Cassandra on port 9042 — no credentials presented in connection (cqlsh without auth).
  • Monitor for unauthenticated HTTP GET requests to ClickHouse HTTP interface (port 8123) containing the query string '/?query=SELECT%20*%20FROM%20system.tables', indicating enumeration of all database tables.
  • Monitor for unauthenticated HTTP GET requests to Elasticsearch on port 9200 with path '/_cat/indices?v', indicating index enumeration.
  • Monitor for unauthenticated HTTP GET requests to Prometheus on port 9090 with path '/metrics', indicating metric scraping by an unauthorized party.
  • Detect Zookeeper 'dump' command sent over raw TCP to port 2181 without authentication, used to enumerate ephemeral nodes and sessions.
  • Detect use of 'kafka-topics --list' against Kafka bootstrap server on port 9092 without SASL/TLS, indicating unauthenticated topic enumeration.
  • Detect CockroachDB connections using the '--insecure' flag on port 26257, indicating exploitation of missing authentication.
  • An attacker within the network could access the datastores with read/write access — scope detection to internal network segments hosting IBM Instana Docker-based deployments.
  • ·Vulnerability affects only Docker-based datastore deployments of IBM Instana in the specified version range; fixed in version 241-3 and later.
  • ·The missing authentication applies specifically to Docker-based datastores, not all Instana deployment types.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.