CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
9.0%
A vulnerability in DataStage on Cloud Pak for Data had the potential of exposing database connection details (database names, database user-id, database credential) to authorized users with Cluster Admin role had they performed remote access to running datastage containers that was processing such database connections. This vulnerability has been addressed.
CVEID:CVE-2022-38714
**DESCRIPTION:**IBM DataStage on Cloud Pak for Data stores sensitive credential information that can be read by a privileged user.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235060 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
DataStage on Cloud Pak for Data | All |
A project administrator must install this patch to fix issues with the datastage-ibm-datastage-runtime service in DataStage Version 4.5.2.
Air Gapped Environment
In an air-gapped environment, proceed with the following steps:
Log in to the OpenShift console as the cluster admin.
Prepare the authentication credentials to access the IBM production repository. Use the same auth.json file used for CASE download and image mirroring. For example:
${PROJECT_CPD_INSTANCE}/.airgap/auth.json
Or create an auth.json file that contains credentials to access cp.icr.io and your local private registry. For example:
{
“auths”: {
“cp.icr.io”:{“email”:“unused”,“auth”:“<base64 encoded id:apikey>”},
“<private registry hostname>”:{“email”:“unused”,“auth”:“<base64 encoded id:password>”}
}
}
For more information about the auth.json file, see containers-auth.json - syntax for the registry authentication file.
Install skopeo by running:
yum install skopeo
To confirm the path for the local private registry to copy the patch image, run the following command:
oc describe pod <datastage-ibm-datastage-runtime pod> -n <cpd_instance_namespace> | grep -i “image:”
For example:
oc describe pod datastage-ibm-datastage-runtime-857bc54b4-qcdgx -n <cpd_instance_namespace> | grep -i "image:"
Image: cp.icr.io/cp/cpd/ds-runtime@sha256:5fd1e1035790e7af16c7bcc423f862d5ad55e8ba1e4efaf933e6468a3d1c2ada
To get the local private registry source details, run the following commands:
oc get imageContentSourcePolicy
oc describe imageContentSourcePolicy [cloud-pak-for-data-mirror]
The local private registry mirror repository and path details should be in the output of the describe command:
- mirrors:
- ${PRIVATE_REGISTRY_LOCATION}/cp/cpd
source: cp.icr.io/cp/cpd
For more information about mirroring of images, see Configuring your cluster to pull Cloud Pak for Data images.
Use the skopeo command to copy the patch images from the IBM production registry (cp.icr.io/cp/cpd registry) to the local private registry. Using the appropriate auth.json file, copy the patch images from the IBM production registry to the Openshift cluster registry:
skopeo copy docker://cp.icr.io/cp/cpd/ds-runtime:452.0.11 docker://<private registry>/cp/cpd/ds-runtime:452.0.11 --authfile “<folder path>/auth.json”
Run the following command to apply the patch to the DataStage custom resource (datastage):
oc patch datastage datastage -n <cpd_instance_namespace> --type merge -p ‘{“spec”:{“image_digests”:{“canvas”:“sha256:01dc73b23ad6eac8196ea1fc4d9ccd8d3e8b7c6d7b6b7144b605bc1dfb9983a1”,“caslite”:“sha256:1adde097d2a2998d844b301b4165e2811bf61d2971d51b2b16b58a5ccef34849”, “codegen”:“sha256:1b717ef32d600d11cbc83c81e8fd6f65ef1be259e69ef05a52e2abcfaae12ff9”, “flows”: “sha256:d6bf09409324226aa7afa7ba47466c9ec3436b219b55fb74ad9ea80961774df8”, “nginx”: “sha256:38072713437b4d6f6551de66353b993deb70b75fc27f06c1c707a0aa36dbe4a7”, “migration”: “sha256:80e99fb87e90e2f3f8885f99beaffb87afc11d3624c8a4aa615c870e054aa49e”, “assets”: “sha256:ab108e5f2644ac091cfab9411dc12332cec9f229709e71b1e2de35b5a3a6a5d9”, “ruleset”: “sha256:ffd475cb341673fcd7a4d09bc2b764b050e1c9eea0977d002aff8a6b737a353e”, “runtime”: “sha256:5fd1e1035790e7af16c7bcc423f862d5ad55e8ba1e4efaf933e6468a3d1c2ada”}}}’
Wait for the DataStage operator reconciliation to complete
oc get datastage datastage -o yaml -n <cpd_instance_namespace>
It can take 15 - 20 minutes for the command to complete and the datastage-ibm-datastage-runtime pod to be up and running with the patched image.
Non-Air Gapped Environment
In an non-air-gapped environment, (i.e. using the online IBM entitled registry), proceed with the following steps:
Run the following command to apply the patch to the DataStage custom resource (datastage):
oc patch datastage datastage -n <cpd_instance_namespace> --type merge -p ‘{“spec”:{“image_digests”:{“canvas”:“sha256:01dc73b23ad6eac8196ea1fc4d9ccd8d3e8b7c6d7b6b7144b605bc1dfb9983a1”,“caslite”:“sha256:1adde097d2a2998d844b301b4165e2811bf61d2971d51b2b16b58a5ccef34849”, “codegen”:“sha256:1b717ef32d600d11cbc83c81e8fd6f65ef1be259e69ef05a52e2abcfaae12ff9”, “flows”: “sha256:d6bf09409324226aa7afa7ba47466c9ec3436b219b55fb74ad9ea80961774df8”, “nginx”: “sha256:38072713437b4d6f6551de66353b993deb70b75fc27f06c1c707a0aa36dbe4a7”, “migration”: “sha256:80e99fb87e90e2f3f8885f99beaffb87afc11d3624c8a4aa615c870e054aa49e”, “assets”: “sha256:ab108e5f2644ac091cfab9411dc12332cec9f229709e71b1e2de35b5a3a6a5d9”, “ruleset”: “sha256:ffd475cb341673fcd7a4d09bc2b764b050e1c9eea0977d002aff8a6b737a353e”, “runtime”: “sha256:5fd1e1035790e7af16c7bcc423f862d5ad55e8ba1e4efaf933e6468a3d1c2ada”}}}’
Wait for the DataStage operator reconciliation to complete
oc get datastage datastage -o yaml -n <cpd_instance_namespace>
It can take 15 - 20 minutes for the command to complete and the datastage-ibm-datastage-runtime pod to be up and running with the patched image.
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | cognos_analytics_cartridge_for_ibm_cloud_pak_for_data | 4.0.6 | cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:4.0.6:*:*:*:*:*:*:* |
ibm | cognos_analytics_cartridge_for_ibm_cloud_pak_for_data | 4.5.2 | cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:4.5.2:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
9.0%