Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE)
An XML External Entity Injection (XXE) vulnerability in IBM InfoSphere Information Server potentially can be used by an attacker to retrieve sensitive documents.
Importing from the DataStage Designer Client is a feature that enables users to migrate DataStage assets from one system to another or from one project to another in the same system.
• Migrating Jobs from a Development system to a Production system
• Performing DataStage version upgrades (i.e. v11.3 to v11.5)
• Sharing assets between DataStage users/teams
IBM DataStage supports three different formats to export DataStage objects:
• DSX (DataStage eXport format)
There is a potential vulnerability when existing DataStage assets are imported via XML.
The DataStage Intelligent Assistants functionality creates and uses XML files, and hence it is also vulnerable.
A legacy tool XMLImporter.exe is also vulnerable. This tool is no longer used and can be removed.
Likewise, there is a potential vulnerability in XML Plugin's metadata import operations.
DESCRIPTION: IBM InfoSphere Information Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127155 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
Affected Products and Versions
The following products, running on all supported platforms, are affected:
IBM InfoSphere DataStage: versions 9.1, 11.3, 11.5 and 11.7
IBM InfoSphere Information Server on Cloud: version 11.5
Workarounds and Mitigations
DataStage import operations
InfoSphere Information Server version 11.7 does not need any actions.
For all other releases:
• Limit import of DataStage assets to DSX (Default) or ISX formats, only.
• If XML format is used for import, manually check the XML file before importing the file to determine if there is a DTD / DOCTYPE section. DTD sections are optional in DataStage XML files, and if present, can be safely removed before importing.
• Additionally, use the istools command line utility that supports both export and import in ISX format.
Examples on the use of istools command line utility can be found in the links below:
•www.redbooks.ibm.com/redbooks/pdfs/sg247830.pdf Pg. 50 – Pg. 54
DataStage Intelligent Assistants
Intelligent assistant functionality is described here:
The section "Creating a template from a job" explains where Templates are stored. The default location is Clients\Classic\Assistants\Generation\templates\<language>.
Before using a Template, manually check the underlying XML file before importing the file to determine if there is a DTD / DOCTYPE section. DTD sections are not required in Template XML files, and if present, can be safely removed before using.
Legacy tool XMLImporter.exe
The tool XMLImporter.exe can be found in the Clients\Classic directory.
As installed, it cannot be used, but can be made to work with sufficient internals knowledge.
It serves no useful function and should be deleted from systems.
Important: There are several similarly named executables which are not subject to this security bulletin. Please ensure to only delete the executable named XMLImporter.exe.
XML Metadata importer operations for XML Input and XML Output plugin stages
XML Metadata Importer is used to create table definitions from XML sources i.e. XML Schemas and XML documents. IBM recommends manually checking the XML file content before importing the file. If there is a DTD / DOCTYPE section, verify its contents for any vulnerabilities.
DTD sections are required in some XML files else the metadata imported may be incomplete which could be due to missing DTD Entities data.
XML Schema Definition (XSD) language is the current standard schema language for all XML documents and data. So, IBM recommends using XSD as an alternative to DTD.
Get Notified about Future Security Bulletins
ReferencesComplete CVSS v3 Guide
On-line Calculator v3
Related informationIBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
This vulnerability was reported to IBM by Goh Zhi Hao, Mohammad Shah Bin Mohammad Esa, Samandeep Singh (Office Singapore) of SEC Consult Vulnerability Lab.
30 July 2017: Original version published
31 July 2017: republished with no changes
04 August 2017: added information for DataStage Intelligent Assistants and XMLImporter
22 December 2017: DataStage import operations in Information Server 11.7 is not vulnerable
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
|Information Management||InfoSphere Information Server||AIX, HP-UX, Linux, Solaris, Windows||9.1, 11.5, 11.3, 11.7|
More support for:
InfoSphere Information Server
Software version: 9.1, 11.3, 11.5, 11.7
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows
Reference #: 2005803
Modified date: 22 December 2017