Security Bulletin: IBM DataQuant is affected by an Open Source Apache Poi vulnerability.

Summary

IBM DataQuant has addressed the following vulnerability.

Vulnerability Details

Relevant CVE Information:

CVEID: CVE-2017-5644 DESCRIPTION: Apache POI is vulnerable to a denial of service, cause by an XML External Entity Injection (XXE) error when processing XML data. By using a specially-crafted OOXML file, a remote attacker could exploit this vulnerability to consume all available CPU resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123699 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Effective CVSS Score: (score will update after page submission)

5.30

Affected Products and Versions

IBM DataQuant for Multiplatforms 1.1, 1.2, and 2.1
IBM DataQuant for z/OS 1.1 and 2.1

Remediation/Fixes

None. See “Workarounds and Mitigations.”

Workarounds and Mitigations

Complete steps 1 - 8 to replace DataQuant’s Apache POI library with the latest version, which is 3.16:

1. Install 7-Zip or other file archiver.

2. Download POI 3.16 (<https://archive.apache.org/dist/poi/release/bin/poi-bin-3.16-20170419.zip&gt;). Find the following jar files inside the archive:
poi-3.16.jar
poi-ooxml-3.16.jar
poi-ooxml-schemas-3.16.jar
commons-collections4-4.1.jar (under “lib” folder)
commons-codec-1.10.jar (under “lib” folder)
commons-logging-1.2.jar (under “lib” folder)
curvesapi-1.04.jar (under “ooxml-lib” folder)
xmlbeans-2.6.0.jar (under “ooxml-lib” folder)

3. In the DataQuant for Workstation\plugins folder, rename com.ibm.bi.core.poi_2.1.7.20170216.jar to com.ibm.bi.core.poi_2.1.7.20170216.zip and open it in the archiver that you have installed in step 1.
- Remove everything from the “lib” folder.
- Copy the poi-3.16.jar,poi-ooxml-3.16.jar,poi-ooxml-schemas-3.16.jar,xmlbeans-2.6.0.jar,curvesapi-1.04.jar,commons-collections4-4.1.jar files into the “lib” folder.
- Modify the META-INF\MANIFEST-MF file. Instead of:

Bundle-ClassPath: .,lib/poi-3.12-20150511.jar,lib/poi-ooxml-3.12-20150
511.jar,lib/poi-ooxml-schemas-3.12-20150511.jar,lib/xmlbeans-2.6.0.jar

Type:

Bundle-ClassPath: .,lib/poi-3.16.jar,lib/poi-ooxml-3.16.jar,lib/poi-oo
xml-schemas-3.16.jar,lib/xmlbeans-2.6.0.jar,lib/curvesapi-1.04.jar,lib/commons-collections4-4.1.jar

Make sure that there are spaces at the beginning of the second and the third line.
- Save the changes, close the archiver, and rename com.ibm.bi.core.poi_2.1.7.20170216.zip to com.ibm.bi.core.poi_2.1.7.20170216.jar.

4. In the DataQuant for Workstation\plugins folder, rename com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.jar to com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.zip and open it in the archiver.
- Remove everything from the “lib” folder.
- Copy the poi-3.16.jar,poi-ooxml-3.16.jar,poi-ooxml-schemas-3.16.jar,xmlbeans-2.6.0.jar files into the “lib” folder.
- Modify META-INF\MANIFEST-MF file. Instead of:

Bundle-ClassPath: .,lib/poi-3.12-20150511.jar,lib/poi-ooxml-3.12-20150
511.jar,lib/poi-ooxml-schemas-3.12-20150511.jar,lib/poi-scratchpad-3.12-20150511.jar

Type:

Bundle-ClassPath: .,lib/poi-3.16.jar,lib/poi-ooxml-3.16.jar,lib/poi-oo
xml-schemas-3.16.jar,lib/xmlbeans-2.6.0.jar

Make sure that there is a space at the beginning of the second line.
-Save the changes, close the archiver, and rename com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.zip to com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.jar.

5. In the DataQuant for Workstation\plugins\com.ibm.bi.thirdparty_2.1.7.20170216 folder
- Remove commons-codec-1.6.jar and commons-logging-1.1.3.jar from the “Other” folder.
- Copy commons-codec-1.10.jar and commons-logging-1.2.jar into the the “Other” folder.
- Modify META-INF\MANIFEST.MF. Instead of:

Bundle-ClassPath: Other/mail.jar,Other/DPDFGen.jar,Other/js.jar,Other/
commons-logging-1.1.3.jar,Other/httpclient-4.3.1.jar,Other/httpcore-4
.3.jar,Other/commons-codec-1.6.jar,Other/pdfbox-1.7.0.jar,Other/fontb
ox-1.7.0.jar,Other/jackson-annotations-2.2.2.jar,Other/jackson-core-2
.2.2.jar,Other/jackson-databind-2.2.2.jar,Other/httpmime-4.3.jar

Type:

Bundle-ClassPath: Other/mail.jar,Other/DPDFGen.jar,Other/js.jar,Other/
commons-logging-1.2.jar,Other/httpclient-4.3.1.jar,Other/httpcore-4.3
.jar,Other/commons-codec-1.10.jar,Other/pdfbox-1.7.0.jar,Other/fontbo
x-1.7.0.jar,Other/jackson-annotations-2.2.2.jar,Other/jackson-core-2.
2.2.jar,Other/jackson-databind-2.2.2.jar,Other/httpmime-4.3.jar

Make sure that there are spaces at the beginning of each line (with the exception of the first line)
- Save the changes.

6. Run Data Quant for Workstation with the following command line parameters:

dataquant.exe -clean -clearPersistedState

7. For DataQuant for WebSphere\DataQuantWebSphere21.war, rename DataQuantWebSphere21.war to DataQuantWebSphere21.zip and open it in the file archiver.
Make the changes described in steps #3 and #5 inside the DataQuantWebSphere21.zip\WEB-INF\eclipse\plugins folder
or replace the existing com.ibm.bi.core.poi_2.1.7.20170216.jar and com.ibm.bi.thirdparty_2.1.7.20170216 folders with the updated ones from the workstation version.
- Close file archiver.
- Rename DataQuantWebSphere21.zip to DataQuantWebSphere21.war.
- Redeploy DataQuantWebSphere21.war on your web server.

8. For DataQuant for WebSphere\DataQuantWebSphere21.ear, rename DataQuantWebSphere21.ear to DataQuantWebSphere21.zip and open it in the file archiver.
Make the changes described in step #7 for the DataQuantWebSphere21.war file which is inside the DataQuantWebSphere21.zip archive, or replace the existing DataQuantWebSphere21.war with the updated DataQuantWebSphere21.war from step #7.
- Close file archiver.
- Rename DataQuantWebSphere21.zip to DataQuantWebSphere21.ear.
- Redeploy DataQuantWebSphere21.ear on your web server.