IBM Support

Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE)

Security Bulletin


An XML External Entity Injection (XXE) vulnerability in IBM InfoSphere Information Server potentially can be used by an attacker to retrieve sensitive documents.

Importing from the DataStage Designer Client is a feature that enables users to migrate DataStage assets from one system to another or from one project to another in the same system.
• Migrating Jobs from a Development system to a Production system
• Performing DataStage version upgrades (i.e. v11.3 to v11.5)
• Sharing assets between DataStage users/teams

IBM DataStage supports three different formats to export  DataStage objects: 
• DSX (DataStage eXport format)

There is a potential vulnerability when existing DataStage assets are imported via XML.
The DataStage Intelligent Assistants functionality creates and uses XML files, and hence it is also vulnerable.
A legacy tool XMLImporter.exe is also vulnerable. This tool is no longer used and can be removed.

Likewise, there is a potential vulnerability in XML Plugin's metadata import operations.

Vulnerability Details

CVEID: CVE-2017-1383
IBM InfoSphere Information Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM InfoSphere DataStage: versions 9.1, 11.3, 11.5 and 11.7
IBM InfoSphere Information Server on Cloud: version 11.5



Workarounds and Mitigations

Mitigation Steps:

DataStage import operations

InfoSphere Information Server version 11.7 does not need any actions.
For all other releases:
• Limit import of DataStage assets to DSX (Default) or ISX formats, only.
• If XML format is used for import, manually check the XML file before importing the file to determine if there is a DTD / DOCTYPE section. DTD sections are optional in DataStage XML files, and if present, can be safely removed before importing.
• Additionally, use the istools command line utility that supports both export and import in ISX format.
Examples on the use of istools command line utility can be found in the links below:  Pg. 50 – Pg. 54

DataStage Intelligent Assistants

Intelligent assistant functionality is described here:
The section "Creating a template from a job" explains where Templates are stored. The default location is Clients\Classic\Assistants\Generation\templates\<language>.
Before using a Template, manually check the underlying XML file before importing the file to determine if there is a DTD / DOCTYPE section. DTD sections are not required in Template XML files, and if present, can be safely removed before using.

Legacy tool XMLImporter.exe

The tool XMLImporter.exe can be found in the Clients\Classic directory.
As installed, it cannot be used, but can be made to work with sufficient internals knowledge.
It serves no useful function and should be deleted from systems.
Important: There are several similarly named executables which are not subject to this security bulletin. Please ensure to only delete the executable named XMLImporter.exe.

XML Metadata importer operations for XML Input and XML Output plugin stages

XML Metadata Importer is used to create table definitions from XML sources i.e. XML Schemas and XML documents. IBM recommends manually checking the XML file content before importing the file. If there is a DTD / DOCTYPE section, verify its contents for any vulnerabilities.
DTD sections are required in some XML files else the metadata imported may be incomplete which could be due to missing DTD Entities data.
XML Schema Definition (XSD) language is the current standard schema language for all XML documents and data. So, IBM recommends using XSD as an alternative to DTD.

Get Notified about Future Security Bulletins


Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


This vulnerability was reported to IBM by Goh Zhi Hao, Mohammad Shah Bin Mohammad Esa, Samandeep Singh (Office Singapore) of SEC Consult Vulnerability Lab.

Change History

30 July 2017: Original version published
31 July 2017: republished with no changes
04 August 2017: added information for DataStage Intelligent Assistants and XMLImporter
22 December 2017: DataStage import operations in Information Server 11.7 is not vulnerable

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Information Management InfoSphere Information Server AIX, HP-UX, Linux, Solaris, Windows 9.1, 11.5, 11.3, 11.7

Document information

More support for: InfoSphere Information Server

Software version: 9.1, 11.3, 11.5, 11.7

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 2005803

Modified date: 22 December 2017