IBM Support

Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE)

Security Bulletin


Summary

An XML External Entity Injection (XXE) vulnerability in IBM InfoSphere Information Server potentially can be used by an attacker to retrieve sensitive documents.

Importing from the DataStage Designer Client is a feature that enables users to migrate DataStage assets from one system to another or from one project to another in the same system.
Examples:
• Migrating Jobs from a Development system to a Production system
• Performing DataStage version upgrades (i.e. v11.3 to v11.5)
• Sharing assets between DataStage users/teams

IBM DataStage supports three different formats to export  DataStage objects: 
• DSX (DataStage eXport format)
• XML
• ISX

There is a potential vulnerability when existing DataStage assets are imported via XML.
The DataStage Intelligent Assistants functionality creates and uses XML files, and hence it is also vulnerable.
A legacy tool XMLImporter.exe is also vulnerable. This tool is no longer used and can be removed.

Likewise, there is a potential vulnerability in XML Plugin's metadata import operations.

Vulnerability Details

CVEID: CVE-2017-1383
DESCRIPTION:
IBM InfoSphere Information Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127155 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM InfoSphere DataStage: versions 9.1, 11.3, and 11.5
IBM InfoSphere Information Server on Cloud: version 11.5

Remediation/Fixes

None

Workarounds and Mitigations

Mitigation Steps:

DataStage import operations

• Limit import of DataStage assets to DSX (Default) or ISX formats, only.
• If XML format is used for import, manually check the XML file before importing the file to determine if there is a DTD / DOCTYPE section. DTD sections are optional in DataStage XML files, and if present, can be safely removed before importing.
• Additionally, use the istools command line utility that supports both export and import in ISX format.
Examples on the use of istools command line utility can be found in the links below:

https://www.ibm.com/support/knowledgecenter/en/SSZJPZ_11.5.0/com.ibm.swg.im.iis.productization.iisinfsv.migrate.doc/topics/a_exporting_projects.html
https://www.ibm.com/support/knowledgecenter/en/SSZJPZ_11.5.0/com.ibm.swg.im.iis.iisinfsv.assetint.nav.doc/containers/istool_container_topic.html
https://www.ibm.com/support/knowledgecenter/en/SSZJPZ_11.3.0/com.ibm.swg.im.iis.iisinfsv.assetint.doc/topics/istoolimp.html
www.redbooks.ibm.com/redbooks/pdfs/sg247830.pdf  Pg. 50 – Pg. 54

DataStage Intelligent Assistants

Intelligent assistant functionality is described here:
https://www.ibm.com/support/knowledgecenter/SSZJPZ_11.5.0/com.ibm.swg.im.iis.ds.design.doc/topics/c_ddesref_Intelligent_Assistants.html
The section "Creating a template from a job" explains where Templates are stored. The default location is Clients\Classic\Assistants\Generation\templates\<language>.
Before using a Template, manually check the underlying XML file before importing the file to determine if there is a DTD / DOCTYPE section. DTD sections are not required in Template XML files, and if present, can be safely removed before using.

Legacy tool XMLImporter.exe

The tool XMLImporter.exe can be found in the Clients\Classic directory.
As installed, it cannot be used, but can be made to work with sufficient internals knowledge.
It serves no useful function and should be deleted from systems.
Important: There are several similarly named executables which are not subject to this security bulletin. Please ensure to only delete the executable named XMLImporter.exe.


XML Metadata importer operations for XML Input and XML Output plugin stages

XML Metadata Importer is used to create table definitions from XML sources i.e. XML Schemas and XML documents. IBM recommends manually checking the XML file content before importing the file. If there is a DTD / DOCTYPE section, verify its contents for any vulnerabilities.
DTD sections are required in some XML files else the metadata imported may be incomplete which could be due to missing DTD Entities data.
XML Schema Definition (XSD) language is the current standard schema language for all XML documents and data. So, IBM recommends using XSD as an alternative to DTD.

Get Notified about Future Security Bulletins

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

This vulnerability was reported to IBM by Goh Zhi Hao, Mohammad Shah Bin Mohammad Esa, Samandeep Singh (Office Singapore) of SEC Consult Vulnerability Lab.

Change History

30 July 2017: Original version published
31 July 2017: republished with no changes
04 August 2017: added information for DataStage Intelligent Assistants and XMLImporter

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Information Management InfoSphere Information Server AIX, HP-UX, Linux, Solaris, Windows 9.1, 11.5, 11.3

Document information

More support for: InfoSphere Information Server

Software version: 9.1, 11.3, 11.5

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 2005803

Modified date: 04 August 2017


Translate this page: