APAR status
Closed as program error.
Error description
DataStage XML Import is vulnerable to an XXE vulnerability
Local fix
Import using dsx format, or manually review XML files for unexpected DTD content
Problem summary
**************************************************************** USERS AFFECTED: Users of DataStage project import using xml exports **************************************************************** PROBLEM DESCRIPTION: The xml import can be compromised by editing the xml and or default stylesheets prior to import, this forces the style sheet to process DTD entries in such a way that user written code can be executed. **************************************************************** RECOMMENDATION: The problem is resolved in 11.7 releases of the product. A patch for 11.5 releases is available from IBM support. Refer to Security bulletin for details. http://www.ibm.com/support/docview.wss?uid=swg22005803 ****************************************************************
Problem conclusion
The client code has been modified to allow the control of DTD processing.
Temporary fix
Comments
APAR Information
APAR number
JR57932
Reported component name
WIS DATASTAGE
Reported component ID
5724Q36DS
Reported release
912
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-06-06
Closed date
2020-06-15
Last modified date
2020-06-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WIS DATASTAGE
Fixed component ID
5724Q36DS
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVSEF","label":"IBM InfoSphere DataStage"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"912","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Document Information
Modified date:
16 June 2020