IBM DataQuant has addressed the following vulnerabiltiy.
Advisory CVEs: CVE-2017-12626
CVEID: CVE-2017-12626 DESCRIPTION: Apache POI is vulnerable to a denial of service, caused by an error while parsing malicious WMF, EMF, MSG and macros and specially crafted DOC, PPT and XLS. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop or an out of memory exception.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138361> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Affected IBM DataQuant
|
Affected Versions
โ|โ
IBM DataQuant for z/OS
|
2.1
IBM DataQuant for Multiplatforms
|
2.1
None. See โWorkarounds and Mitigationsโ.
Use the following instructions to replace DataQuantโs Apache POI library with the latest version, which is 3.17:
1. Install 7-Zip or other file archiver.
2. Download POI 3.17 (https://www.apache.org/dyn/closer.lua/poi/release/bin/poi-bin-3.17-2017โฆ).
Find the following jar files inside the archive:
poi-3.17.jar
poi-ooxml-3.17.jar
poi-ooxml-schemas-3.17.jar
commons-collections4-4.1.jar (under โlibโ folder)
commons-codec-1.10.jar (under โlibโ folder)
commons-logging-1.2.jar (under โlibโ folder)
curvesapi-1.04.jar (under โooxml-libโ folder)
xmlbeans-2.6.0.jar (under โooxml-libโ folder)
3. In the DataQuant for Workstation\plugins folder, rename com.ibm.bi.core.poi_2.1.7.20170216.jar to com.ibm.bi.core.poi_2.1.7.20170216.zip and open it in the archiver that you have installed in step #1.
- Remove everything from the โlibโ folder
- Copy the poi-3.17.jar,poi-ooxml-3.17.jar,poi-ooxml-schemas-3.17.jar,xmlbeans-2.6.0.jar,
curvesapi-1.04.jar,commons-collections4-4.1.jar files into the โlibโ folder
- Modify the META-INF\MANIFEST-MF file.
Instead of
Bundle-ClassPath: .,lib/poi-3.12-20150511.jar,lib/poi-ooxml-3.12-20150511.jar,
lib/poi-ooxml-schemas-3.12-20150511.jar,
lib/xmlbeans-2.6.0.jar
type
Bundle-ClassPath: .,lib/poi-3.17.jar,lib/poi-ooxml-3.17.jar,
lib/poi-ooxml-schemas-3.17.jar,lib/xmlbeans-2.6.0.jar,
lib/curvesapi-1.04.jar,lib/commons-collections4-4.1.jar
Make sure that there are spaces at the beginning of the second and the third line
- Save changes, close the archiver, and rename com.ibm.bi.core.poi_2.1.7.20170216.zip
to
com.ibm.bi.core.poi_2.1.7.20170216.jar
4. In the DataQuant for Workstation\plugins folder, rename
com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.jar
to
com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.zip and open it in the archiver.
- Remove everything from the โlibโ folder
- Copy the poi-3.17.jar,poi-ooxml-3.17.jar,poi-ooxml-schemas-3.17.jar,xmlbeans-2.6.0.jar files into the โlibโ folder
- Modify META-INF\MANIFEST-MF file.
Instead of
Bundle-ClassPath: .,lib/poi-3.12-20150511.jar,lib/poi-ooxml-3.12-20150511.jar,
lib/poi-ooxml-schemas-3.12-20150511.jar,lib/poi-scratchpad-3.12-20150511.jar
type
Bundle-ClassPath: .,lib/poi-3.17.jar,lib/poi-ooxml-3.17.jar,
lib/poi-ooxml-schemas-3.17.jar,lib/xmlbeans-2.6.0.jar
Make sure that there is a space at the beginning of the second line
-Save changes, close the archiver, and rename com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.zip
to
com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.jar
5. In the DataQuant for Workstation\plugins\com.ibm.bi.thirdparty_2.1.7.20170216 folder
- Remove commons-codec-1.6.jar and commons-logging-1.1.3.jar from the โOtherโ folder
- Copy commons-codec-1.10.jar and commons-logging-1.2.jar into the the โOtherโ folder
- Modify META-INF\MANIFEST.MF.
Instead of
Bundle-ClassPath: Other/mail.jar,
Other/DPDFGen.jar,Other/js.jar,
Other/ commons-logging-1.1.3.jar,
Other/httpclient-4.3.1.jar,
Other/httpcore-4.3.jar,
Other/commons-codec-1.6.jar,Other/pdfbox-1.7.0.jar,
Other/fontbox-1.7.0.jar,Other/jackson-annotations-2.2.2.jar,
Other/jackson-core-2.2.2.jar,Other/jackson-databind-2.2.2.jar,
Other/httpmime-4.3.jar
type
Bundle-ClassPath: Other/mail.jar,
Other/DPDFGen.jar,Other/js.jar,
Other/commons-logging-1.2.jar,
Other/httpclient-4.3.1.jar,
Other/httpcore-4.3.jar,
Other/commons-codec-1.10.jar,Other/pdfbox-1.7.0.jar,
Other/fontbox-1.7.0.jar,Other/jackson-annotations-2.2.2.jar,
Other/jackson-core-2.2.2.jar,Other/jackson-databind-2.2.2.jar,
Other/httpmime-4.3.jar
Make sure that there are spaces at the beginning of each line (with the exception of the first line)
- Save changes
6. Run Data Quant for Workstation with the following command line parameters:
dataquant.exe -clean -clearPersistedState
7. For DataQuant for WebSphere\DataQuantWebSphere21.war, rename DataQuantWebSphere21.war to DataQuantWebSphere21.zip and open it in the file archiver.
Make the changes described in steps #3 and #5 inside the DataQuantWebSphere21.zip\WEB-INF\eclipse\plugins folder or replace the existing com.ibm.bi.core.poi_2.1.7.20170216.jar and com.ibm.bi.thirdparty_2.1.7.20170216 folders with the updated ones from the workstation version
- Close file archiver
- Rename DataQuantWebSphere21.zip to DataQuantWebSphere21.war
- Redeploy DataQuantWebSphere21.war on your web server
8. For DataQuant for WebSphere\DataQuantWebSphere21.ear, rename DataQuantWebSphere21.ear
to
DataQuantWebSphere21.zip and open it in the file archiver.
Make the changes described in step #7 for the DataQuantWebSphere21.war file which is inside the DataQuantWebSphere21.zip archive
or
replace the existing DataQuantWebSphere21.war with the updated DataQuantWebSphere21.war from step #7
- Close file archiver
- Rename DataQuantWebSphere21.zip to DataQuantWebSphere21.ear
- Redeploy DataQuantWebSphere21.ear on your web server
CPE | Name | Operator | Version |
---|---|---|---|
ibm dataquant for z/os | eq | 2.1 |