Security Bulletin: Public disclosured vulnerability from Apache POI

Summary

IBM DataQuant has addressed the following vulnerabiltiy.

Vulnerability Details

Advisory CVEs: CVE-2017-12626

CVEID: CVE-2017-12626 DESCRIPTION: Apache POI is vulnerable to a denial of service, caused by an error while parsing malicious WMF, EMF, MSG and macros and specially crafted DOC, PPT and XLS. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop or an out of memory exception.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138361&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected IBM DataQuant

|

Affected Versions

—|—

IBM DataQuant for z/OS

|

2.1

IBM DataQuant for Multiplatforms

|

2.1

Remediation/Fixes

None. See ‘Workarounds and Mitigations’.

Workarounds and Mitigations

Use the following instructions to replace DataQuant’s Apache POI library with the latest version, which is 3.17:

1. Install 7-Zip or other file archiver.

2. Download POI 3.17 (https://www.apache.org/dyn/closer.lua/poi/release/bin/poi-bin-3.17-2017…).

Find the following jar files inside the archive:

poi-3.17.jar

poi-ooxml-3.17.jar

poi-ooxml-schemas-3.17.jar

commons-collections4-4.1.jar (under “lib” folder)

commons-codec-1.10.jar (under “lib” folder)

commons-logging-1.2.jar (under “lib” folder)

curvesapi-1.04.jar (under “ooxml-lib” folder)

xmlbeans-2.6.0.jar (under “ooxml-lib” folder)

3. In the DataQuant for Workstation\plugins folder, rename com.ibm.bi.core.poi_2.1.7.20170216.jar to com.ibm.bi.core.poi_2.1.7.20170216.zip and open it in the archiver that you have installed in step #1.

- Remove everything from the “lib” folder

- Copy the poi-3.17.jar,poi-ooxml-3.17.jar,poi-ooxml-schemas-3.17.jar,xmlbeans-2.6.0.jar,

curvesapi-1.04.jar,commons-collections4-4.1.jar files into the “lib” folder

- Modify the META-INF\MANIFEST-MF file.

Instead of

Bundle-ClassPath: .,lib/poi-3.12-20150511.jar,lib/poi-ooxml-3.12-20150511.jar,

lib/poi-ooxml-schemas-3.12-20150511.jar,

lib/xmlbeans-2.6.0.jar

type

Bundle-ClassPath: .,lib/poi-3.17.jar,lib/poi-ooxml-3.17.jar,

lib/poi-ooxml-schemas-3.17.jar,lib/xmlbeans-2.6.0.jar,

lib/curvesapi-1.04.jar,lib/commons-collections4-4.1.jar

Make sure that there are spaces at the beginning of the second and the third line

- Save changes, close the archiver, and rename com.ibm.bi.core.poi_2.1.7.20170216.zip

to

com.ibm.bi.core.poi_2.1.7.20170216.jar

4. In the DataQuant for Workstation\plugins folder, rename

com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.jar

to

com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.zip and open it in the archiver.

- Remove everything from the “lib” folder

- Copy the poi-3.17.jar,poi-ooxml-3.17.jar,poi-ooxml-schemas-3.17.jar,xmlbeans-2.6.0.jar files into the “lib” folder

- Modify META-INF\MANIFEST-MF file.

Instead of

Bundle-ClassPath: .,lib/poi-3.12-20150511.jar,lib/poi-ooxml-3.12-20150511.jar,

lib/poi-ooxml-schemas-3.12-20150511.jar,lib/poi-scratchpad-3.12-20150511.jar

type

Bundle-ClassPath: .,lib/poi-3.17.jar,lib/poi-ooxml-3.17.jar,

lib/poi-ooxml-schemas-3.17.jar,lib/xmlbeans-2.6.0.jar

Make sure that there is a space at the beginning of the second line

-Save changes, close the archiver, and rename com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.zip

to

com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.jar

5. In the DataQuant for Workstation\plugins\com.ibm.bi.thirdparty_2.1.7.20170216 folder

- Remove commons-codec-1.6.jar and commons-logging-1.1.3.jar from the “Other” folder

- Copy commons-codec-1.10.jar and commons-logging-1.2.jar into the the “Other” folder

- Modify META-INF\MANIFEST.MF.

Instead of

Bundle-ClassPath: Other/mail.jar,

Other/DPDFGen.jar,Other/js.jar,

Other/ commons-logging-1.1.3.jar,

Other/httpclient-4.3.1.jar,

Other/httpcore-4.3.jar,

Other/commons-codec-1.6.jar,Other/pdfbox-1.7.0.jar,

Other/fontbox-1.7.0.jar,Other/jackson-annotations-2.2.2.jar,

Other/jackson-core-2.2.2.jar,Other/jackson-databind-2.2.2.jar,

Other/httpmime-4.3.jar

type

Bundle-ClassPath: Other/mail.jar,

Other/DPDFGen.jar,Other/js.jar,

Other/commons-logging-1.2.jar,

Other/httpclient-4.3.1.jar,

Other/httpcore-4.3.jar,

Other/commons-codec-1.10.jar,Other/pdfbox-1.7.0.jar,

Other/fontbox-1.7.0.jar,Other/jackson-annotations-2.2.2.jar,

Other/jackson-core-2.2.2.jar,Other/jackson-databind-2.2.2.jar,

Other/httpmime-4.3.jar

Make sure that there are spaces at the beginning of each line (with the exception of the first line)

- Save changes

6. Run Data Quant for Workstation with the following command line parameters:

dataquant.exe -clean -clearPersistedState

7. For DataQuant for WebSphere\DataQuantWebSphere21.war, rename DataQuantWebSphere21.war to DataQuantWebSphere21.zip and open it in the file archiver.

Make the changes described in steps #3 and #5 inside the DataQuantWebSphere21.zip\WEB-INF\eclipse\plugins folder or replace the existing com.ibm.bi.core.poi_2.1.7.20170216.jar and com.ibm.bi.thirdparty_2.1.7.20170216 folders with the updated ones from the workstation version

- Close file archiver

- Rename DataQuantWebSphere21.zip to DataQuantWebSphere21.war

- Redeploy DataQuantWebSphere21.war on your web server

8. For DataQuant for WebSphere\DataQuantWebSphere21.ear, rename DataQuantWebSphere21.ear

to

DataQuantWebSphere21.zip and open it in the file archiver.

Make the changes described in step #7 for the DataQuantWebSphere21.war file which is inside the DataQuantWebSphere21.zip archive

or

replace the existing DataQuantWebSphere21.war with the updated DataQuantWebSphere21.war from step #7

- Close file archiver

- Rename DataQuantWebSphere21.zip to DataQuantWebSphere21.ear

- Redeploy DataQuantWebSphere21.ear on your web server