Security Bulletin: DataStage on Cloud Pak for Data Is Vulnerable to Sensitive Information Disclosure Error (CVE-2022-38714)

Summary

A vulnerability in DataStage on Cloud Pak for Data had the potential of exposing database connection details (database names, database user-id, database credential) to authorized users with Cluster Admin role had they performed remote access to running datastage containers that was processing such database connections. This vulnerability has been addressed.

Vulnerability Details

CVEID:CVE-2022-38714
**DESCRIPTION:**IBM DataStage on Cloud Pak for Data stores sensitive credential information that can be read by a privileged user.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235060 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

A project administrator must install this patch to fix issues with the datastage-ibm-datastage-runtime service in DataStage Version 4.5.2.

Procedure

Air Gapped Environment

In an air-gapped environment, proceed with the following steps:

• Log in to the OpenShift console as the cluster admin.

• Prepare the authentication credentials to access the IBM production repository. Use the same auth.json file used for CASE download and image mirroring. For example:
  ${PROJECT_CPD_INSTANCE}/.airgap/auth.json
  Or create an auth.json file that contains credentials to access cp.icr.io and your local private registry. For example:

  {
  

  “auths”: {
  “cp.icr.io”:{“email”:“unused”,“auth”:“<base64 encoded id:apikey>”},
  “<private registry hostname>”:{“email”:“unused”,“auth”:“<base64 encoded id:password>”}
  }
  }

For more information about the auth.json file, see containers-auth.json - syntax for the registry authentication file.

• Install skopeo by running:

  yum install skopeo
  

• To confirm the path for the local private registry to copy the patch image, run the following command:

  oc describe pod <datastage-ibm-datastage-runtime pod> -n <cpd_instance_namespace> | grep -i “image:”

For example:

  oc describe pod datastage-ibm-datastage-runtime-857bc54b4-qcdgx  -n <cpd_instance_namespace> | grep -i "image:"

  Image:         cp.icr.io/cp/cpd/ds-runtime@sha256:5fd1e1035790e7af16c7bcc423f862d5ad55e8ba1e4efaf933e6468a3d1c2ada

• To get the local private registry source details, run the following commands:

  oc get imageContentSourcePolicy
  oc describe imageContentSourcePolicy [cloud-pak-for-data-mirror]

The local private registry mirror repository and path details should be in the output of the describe command:

  - mirrors:
  - ${PRIVATE_REGISTRY_LOCATION}/cp/cpd
   source: cp.icr.io/cp/cpd

For more information about mirroring of images, see Configuring your cluster to pull Cloud Pak for Data images.

• Use the skopeo command to copy the patch images from the IBM production registry (cp.icr.io/cp/cpd registry) to the local private registry. Using the appropriate auth.json file, copy the patch images from the IBM production registry to the Openshift cluster registry:

  skopeo copy docker://cp.icr.io/cp/cpd/ds-runtime:452.0.11 docker://<private registry>/cp/cpd/ds-runtime:452.0.11 --authfile “<folder path>/auth.json”

• Run the following command to apply the patch to the DataStage custom resource (datastage):

  oc patch datastage datastage -n <cpd_instance_namespace> --type merge -p ‘{“spec”:{“image_digests”:{“canvas”:“sha256:01dc73b23ad6eac8196ea1fc4d9ccd8d3e8b7c6d7b6b7144b605bc1dfb9983a1”,“caslite”:“sha256:1adde097d2a2998d844b301b4165e2811bf61d2971d51b2b16b58a5ccef34849”, “codegen”:“sha256:1b717ef32d600d11cbc83c81e8fd6f65ef1be259e69ef05a52e2abcfaae12ff9”, “flows”: “sha256:d6bf09409324226aa7afa7ba47466c9ec3436b219b55fb74ad9ea80961774df8”, “nginx”: “sha256:38072713437b4d6f6551de66353b993deb70b75fc27f06c1c707a0aa36dbe4a7”, “migration”: “sha256:80e99fb87e90e2f3f8885f99beaffb87afc11d3624c8a4aa615c870e054aa49e”, “assets”: “sha256:ab108e5f2644ac091cfab9411dc12332cec9f229709e71b1e2de35b5a3a6a5d9”, “ruleset”: “sha256:ffd475cb341673fcd7a4d09bc2b764b050e1c9eea0977d002aff8a6b737a353e”, “runtime”: “sha256:5fd1e1035790e7af16c7bcc423f862d5ad55e8ba1e4efaf933e6468a3d1c2ada”}}}’

• Wait for the DataStage operator reconciliation to complete

  oc get datastage datastage -o yaml -n <cpd_instance_namespace>

It can take 15 - 20 minutes for the command to complete and the datastage-ibm-datastage-runtime pod to be up and running with the patched image.

Non-Air Gapped Environment

In an non-air-gapped environment, (i.e. using the online IBM entitled registry), proceed with the following steps:

• Run the following command to apply the patch to the DataStage custom resource (datastage):

  oc patch datastage datastage -n <cpd_instance_namespace> --type merge -p ‘{“spec”:{“image_digests”:{“canvas”:“sha256:01dc73b23ad6eac8196ea1fc4d9ccd8d3e8b7c6d7b6b7144b605bc1dfb9983a1”,“caslite”:“sha256:1adde097d2a2998d844b301b4165e2811bf61d2971d51b2b16b58a5ccef34849”, “codegen”:“sha256:1b717ef32d600d11cbc83c81e8fd6f65ef1be259e69ef05a52e2abcfaae12ff9”, “flows”: “sha256:d6bf09409324226aa7afa7ba47466c9ec3436b219b55fb74ad9ea80961774df8”, “nginx”: “sha256:38072713437b4d6f6551de66353b993deb70b75fc27f06c1c707a0aa36dbe4a7”, “migration”: “sha256:80e99fb87e90e2f3f8885f99beaffb87afc11d3624c8a4aa615c870e054aa49e”, “assets”: “sha256:ab108e5f2644ac091cfab9411dc12332cec9f229709e71b1e2de35b5a3a6a5d9”, “ruleset”: “sha256:ffd475cb341673fcd7a4d09bc2b764b050e1c9eea0977d002aff8a6b737a353e”, “runtime”: “sha256:5fd1e1035790e7af16c7bcc423f862d5ad55e8ba1e4efaf933e6468a3d1c2ada”}}}’

• Wait for the DataStage operator reconciliation to complete

  oc get datastage datastage -o yaml -n <cpd_instance_namespace>

It can take 15 - 20 minutes for the command to complete and the datastage-ibm-datastage-runtime pod to be up and running with the patched image.

Workarounds and Mitigations

None