On March 24 2017, I discovered and reported on a remote password change vulnerability in Hewlett-Packard Enterprise’s (HPE) Vertica Analytic Database. This week, HPE released Security Bulletin HPESBGN03734, which contains the fix for this vulnerability and identifies it as CVE-2017-5802.
Fueled by ever-growing volumes of Big Data found in many corporations and government agencies, HPE's Vertica Analytics Platform provides an SQL analytics solution built from the ground up to handle massive volumes of data and delivers blazingly fast Big Data analytics. At the core of the Vertica Analytics Platform is a column-oriented, relational database named Vertica Analytic Database.
This discovered vulnerability could lead to remote password change of the administrator account, and it has been rated as Critical by HPE. The vulnerability affects HPE Vertica Analytic Database 8.1.0 and prior versions.
In this blog, I want to share the details of this vulnerability.
To reproduce the vulnerability, you can follow the steps below.
Figure 1. Create a database
Figure 2. Set IP address for the database
Figure 3. Set the path of the database