An XML External Entity Injection (XXE) vulnerability in IBM InfoSphere Information Server potentially can be used by an attacker to retrieve sensitive documents.
Importing from the DataStage Designer Client is a feature that enables users to migrate DataStage assets from one system to another or from one project to another in the same system.
Examples:
ā¢ Migrating Jobs from a Development system to a Production system
ā¢ Performing DataStage version upgrades (i.e. v11.3 to v11.5)
ā¢ Sharing assets between DataStage users/teams
IBM DataStage supports three different formats to export DataStage objects:
ā¢ DSX (DataStage eXport format)
ā¢ XML
ā¢ ISX
There is a potential vulnerability when existing DataStage assets are imported via XML.
The DataStage Intelligent Assistants functionality creates and uses XML files, and hence it is also vulnerable.
A legacy tool XMLImporter.exe is also vulnerable. This tool is no longer used and can be removed.
Likewise, there is a potential vulnerability in XML Pluginās metadata import operations.
CVEID: CVE-2017-1383 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127155 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
The following products, running on all supported platforms, are affected:
IBM InfoSphere DataStage: versions 9.1, 11.3, 11.5 and 11.7
IBM InfoSphere Information Server on Cloud: version 11.5
For DataStage import operations:
VRMF
|
APAR
|
Remediation/First Fix
ā|ā|ā
11.7
|
|
--A fix is not needed
11.5
|
|
--Apply DataStage Security patch
11.3
|
|
--Upgrade to a release where this issue is addressed.
9.1 | JR57932 | --Upgrade to a release where this issue is addressed.
For other components and releases, see the Workarounds and Mitigations section.
Mitigation Steps:
DataStage import operations
Note: See Remediation/Fixes section for available fixes.
For releases other than 11.7, if a published fix is not applied:
ā¢ Limit import of DataStage assets to DSX (Default) or ISX formats, only.
ā¢ If XML format is used for import, manually check the XML file before importing the file to determine if there is a DTD / DOCTYPE section. DTD sections are optional in DataStage XML files, and if present, can be safely removed before importing.
ā¢ Additionally, use the istools command line utility that supports both export and import in ISX format.
Examples on the use of istools command line utility can be found in the links below:
ā¢https://www.ibm.com/support/knowledgecenter/en/SSZJPZ_11.5.0/com.ibm.swg.im.iis.productization.iisinfsv.migrate.doc/topics/a_exporting_projects.html
ā¢https://www.ibm.com/support/knowledgecenter/en/SSZJPZ_11.5.0/com.ibm.swg.im.iis.iisinfsv.assetint.nav.doc/containers/istool_container_topic.html
ā¢https://www.ibm.com/support/knowledgecenter/en/SSZJPZ_11.3.0/com.ibm.swg.im.iis.iisinfsv.assetint.doc/topics/istoolimp.html
ā¢www.redbooks.ibm.com/redbooks/pdfs/sg247830.pdf Pg. 50 ā Pg. 54
DataStage Intelligent Assistants
Intelligent assistant functionality is described here:
https://www.ibm.com/support/knowledgecenter/SSZJPZ_11.5.0/com.ibm.swg.im.iis.ds.design.doc/topics/c_ddesref_Intelligent_Assistants.html
The section āCreating a template from a jobā explains where Templates are stored. The default location is Clients\Classic\Assistants\Generation\templates<language>.
Before using a Template, manually check the underlying XML file before importing the file to determine if there is a DTD / DOCTYPE section. DTD sections are not required in Template XML files, and if present, can be safely removed before using.
Legacy tool XMLImporter.exe
The tool XMLImporter.exe can be found in the Clients\Classic directory.
As installed, it cannot be used, but can be made to work with sufficient internals knowledge.
It serves no useful function and should be deleted from systems.
Important: There are several similarly named executables which are not subject to this security bulletin. Please ensure to only delete the executable named XMLImporter.exe.
_XML _Metadata importer operations for XML Input and XML Output plugin stages
XML Metadata Importer is used to create table definitions from XML sources i.e. XML Schemas and XML documents. IBM recommends manually checking the XML file content before importing the file. If there is a DTD / DOCTYPE section, verify its contents for any vulnerabilities.
DTD sections are required in some XML files else the metadata imported may be incomplete which could be due to missing DTD Entities data.
XML Schema Definition (XSD) language is the current standard schema language for all XML documents and data. So, IBM recommends using XSD as an alternative to DTD.
Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.
Complete CVSS v2 Guide
On-line Calculator v2
Complete CVSS v3 Guide
On-line Calculator v3
Off
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
This vulnerability was reported to IBM by Goh Zhi Hao, Mohammad Shah Bin Mohammad Esa, Samandeep Singh (Office Singapore) of SEC Consult Vulnerability Lab.
30 July 2017: Original version published
31 July 2017: republished with no changes
04 August 2017: added information for DataStage Intelligent Assistants and XMLImporter
22 December 2017: DataStage import operations in Information Server 11.7 is not vulnerable
23 June 2020: Added fix information for DataStage import operations in various releases
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
[{āBusiness Unitā:{ācodeā:āBU059ā,ālabelā:āIBM Software w/o TPSā},āProductā:{ācodeā:āSSZJPZā,ālabelā:āIBM InfoSphere Information Serverā},āARM Categoryā:[{ācodeā:āā,ālabelā:āā}],āPlatformā:[{ācodeā:āPF002ā,ālabelā:āAIXā},{ācodeā:āPF010ā,ālabelā:āHP-UXā},{ācodeā:āPF016ā,ālabelā:āLinuxā},{ācodeā:āPF027ā,ālabelā:āSolarisā},{ācodeā:āPF033ā,ālabelā:āWindowsā}],āVersionā:ā9.1;11.5;11.3;11.7ā,āLine of Businessā:{ācodeā:āLOB10ā,ālabelā:āData and AIā}}]