Severe Java bugs found in IBM Watson and its components

• A total of five vulnerabilities affected several components of IBM Watson.
• One of the critical bugs (CVE-2018-2633) can allow attackers to remotely control Watson systems.

Watson, IBM’s trademark artificial intelligence(AI) system, was found to be riddled with critical security vulnerabilities in its platform. The bugs were identified in the IBM Runtime Environment Java Technology Edition, which is used by Watson Explorer and Content Analytics.

IBM has addressed the five vulnerabilities by providing a fix to all the affected components.

The big picture

• The Java components with vulnerabilities were JRockit Libraries, JRockit LDAP, JRockit JNDI, and I18n.
• These flaws could enable attackers to steal sensitive information, conduct denial of service attacks and have control over the infected systems.
• They are designated as CVE-2018-2579, CVE-2018-2588, CVE-2018-2602, CVE-2018-2603, and CVE-2018-2633.
• CVE-2018-2633 was the most severe among the identified vulnerabilities, which would allow cybercriminals to completely take over Watson. “An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to take control of the system.” described the bulletin.
• Altogether, 18 IBM Watson products were discovered to be affected.

Update published

Following the disclosure of the security flaws, IBM released updates for the affected components. Users are advised to upgrade to the required version of IBM Java Runtime to remediate the five vulnerabilities.

All these flaws were actually addressed in the Oracle January 2018 advisory but still impacted IBM Watson due to lack of a fix until now.

Regarding the affected products, Watson Explorer Foundational Components and Watson Explorer Analytical Components versions formed the major chunk.