CVE-2023-27290
published 2023-03-03CVE-2023-27290: Docker based datastores for IBM Instana (IBM Observability with Instana 239-0 through 239-2, 241-0 through 241-2, and 243-0) do not currently require…
PriorityP270critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
8.57%
94.4th percentile
Docker based datastores for IBM Instana (IBM Observability with Instana 239-0 through 239-2, 241-0 through 241-2, and 243-0) do not currently require authentication. Due to this, an attacker within the network could access the datastores with read/write access. IBM X-Force ID: 248737.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | observability_with_instana | — | — |
| ibm | observability_with_instana | >= 239-0 < 239-2 | 239-2 |
| ibm | observability_with_instana | 239-0 – 239-2 | — |
| ibm | observability_with_instana | >= 241-0 < 241-2 | 241-2 |
| ibm | observability_with_instana | 241-0 – 241-2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated access attempts to Cassandra on port 9042 — no credentials presented in connection (cqlsh without auth). ↗
- →Monitor for unauthenticated HTTP GET requests to ClickHouse HTTP interface (port 8123) containing the query string '/?query=SELECT%20*%20FROM%20system.tables', indicating enumeration of all database tables. ↗
- →Monitor for unauthenticated HTTP GET requests to Elasticsearch on port 9200 with path '/_cat/indices?v', indicating index enumeration. ↗
- →Monitor for unauthenticated HTTP GET requests to Prometheus on port 9090 with path '/metrics', indicating metric scraping by an unauthorized party. ↗
- →Detect Zookeeper 'dump' command sent over raw TCP to port 2181 without authentication, used to enumerate ephemeral nodes and sessions. ↗
- →Detect use of 'kafka-topics --list' against Kafka bootstrap server on port 9092 without SASL/TLS, indicating unauthenticated topic enumeration. ↗
- →Detect CockroachDB connections using the '--insecure' flag on port 26257, indicating exploitation of missing authentication. ↗
- →An attacker within the network could access the datastores with read/write access — scope detection to internal network segments hosting IBM Instana Docker-based deployments. ↗
- ·Vulnerability affects only Docker-based datastore deployments of IBM Instana in the specified version range; fixed in version 241-3 and later. ↗
- ·The missing authentication applies specifically to Docker-based datastores, not all Instana deployment types. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171770/IBM-Instana-243-0-Missing-Authentication.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/248737https://www.ibm.com/support/pages/node/6959969http://packetstormsecurity.com/files/171770/IBM-Instana-243-0-Missing-Authentication.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/248737https://www.ibm.com/support/pages/node/6959969
2023-03-03
Published