IBM Support

Security Bulletin: DataStage on Cloud Pak for Data Is Vulnerable to Sensitive Information Disclosure Error (CVE-2022-38714)

Security Bulletin


Summary

A vulnerability in DataStage on Cloud Pak for Data had the potential of exposing database connection details (database names, database user-id, database credential) to authorized users with Cluster Admin role had they performed remote access to running datastage containers that was processing such database connections. This vulnerability has been addressed.

Vulnerability Details

CVEID:   CVE-2022-38714
DESCRIPTION:   IBM DataStage on Cloud Pak for Data stores sensitive credential information that can be read by a privileged user.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235060 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)Version(s)
DataStage on Cloud Pak for DataAll

Remediation/Fixes

A project administrator must install this patch to fix issues with the datastage-ibm-datastage-runtime service in DataStage Version 4.5.2.

 

Procedure

Air Gapped Environment

In an air-gapped environment, proceed with the following steps:

  • Log in to the OpenShift console as the cluster admin.
  • Prepare the authentication credentials to access the IBM production repository. Use the same auth.json file used for CASE download and image mirroring. For example:
    ${PROJECT_CPD_INSTANCE}/.airgap/auth.json
    Or create an auth.json file that contains credentials to access cp.icr.io and your local private registry. For example: 
    {
  "auths": { 
    "cp.icr.io":{"email":"unused","auth":"<base64 encoded id:apikey>"},
    "<private registry hostname>":{"email":"unused","auth":"<base64 encoded id:password>"} 
   }
 }
    For more information about the auth.json file, see containers-auth.json - syntax for the registry authentication file.
  • Install skopeo by running: 
    yum install skopeo
  • To confirm the path for the local private registry to copy the patch image, run the following command:
oc describe pod <datastage-ibm-datastage-runtime pod> -n <cpd_instance_namespace> | grep -i "image:"

For example:

  oc describe pod datastage-ibm-datastage-runtime-857bc54b4-qcdgx  -n <cpd_instance_namespace> | grep -i "image:"

  Image:         cp.icr.io/cp/cpd/ds-runtime@sha256:5fd1e1035790e7af16c7bcc423f862d5ad55e8ba1e4efaf933e6468a3d1c2ada
  • To get the local private registry source details, run the following commands:
  oc get imageContentSourcePolicy
  oc describe imageContentSourcePolicy [cloud-pak-for-data-mirror]

The local private registry mirror repository and path details should be in the output of the describe command:

  - mirrors:
  - ${PRIVATE_REGISTRY_LOCATION}/cp/cpd
   source: cp.icr.io/cp/cpd

For more information about mirroring of images, see Configuring your cluster to pull Cloud Pak for Data images.

  • Use the skopeo command to copy the patch images from the IBM production registry (cp.icr.io/cp/cpd registry) to the local private registry. Using the appropriate auth.json file, copy the patch images from the IBM production registry to the Openshift cluster registry:
  skopeo copy docker://cp.icr.io/cp/cpd/ds-runtime:452.0.11  docker://<private registry>/cp/cpd/ds-runtime:452.0.11 --authfile "<folder path>/auth.json"
  • Run the following command to apply the patch to the DataStage custom resource (datastage):
  oc patch datastage datastage -n <cpd_instance_namespace> --type merge -p '{"spec":{"image_digests":{"canvas":"sha256:01dc73b23ad6eac8196ea1fc4d9ccd8d3e8b7c6d7b6b7144b605bc1dfb9983a1","caslite":"sha256:1adde097d2a2998d844b301b4165e2811bf61d2971d51b2b16b58a5ccef34849", "codegen":"sha256:1b717ef32d600d11cbc83c81e8fd6f65ef1be259e69ef05a52e2abcfaae12ff9", "flows": "sha256:d6bf09409324226aa7afa7ba47466c9ec3436b219b55fb74ad9ea80961774df8", "nginx": "sha256:38072713437b4d6f6551de66353b993deb70b75fc27f06c1c707a0aa36dbe4a7", "migration": "sha256:80e99fb87e90e2f3f8885f99beaffb87afc11d3624c8a4aa615c870e054aa49e", "assets": "sha256:ab108e5f2644ac091cfab9411dc12332cec9f229709e71b1e2de35b5a3a6a5d9", "ruleset": "sha256:ffd475cb341673fcd7a4d09bc2b764b050e1c9eea0977d002aff8a6b737a353e", "runtime": "sha256:5fd1e1035790e7af16c7bcc423f862d5ad55e8ba1e4efaf933e6468a3d1c2ada"}}}'
  • Wait for the DataStage operator reconciliation to complete
  oc get datastage datastage -o yaml -n <cpd_instance_namespace>

It can take 15 - 20 minutes for the command to complete and the datastage-ibm-datastage-runtime pod to be up and running with the patched image.

 

Non-Air Gapped Environment

In an non-air-gapped environment, (i.e. using the online IBM entitled registry), proceed with the following steps:

  • Run the following command to apply the patch to the DataStage custom resource (datastage):
  oc patch datastage datastage -n <cpd_instance_namespace> --type merge -p '{"spec":{"image_digests":{"canvas":"sha256:01dc73b23ad6eac8196ea1fc4d9ccd8d3e8b7c6d7b6b7144b605bc1dfb9983a1","caslite":"sha256:1adde097d2a2998d844b301b4165e2811bf61d2971d51b2b16b58a5ccef34849", "codegen":"sha256:1b717ef32d600d11cbc83c81e8fd6f65ef1be259e69ef05a52e2abcfaae12ff9", "flows": "sha256:d6bf09409324226aa7afa7ba47466c9ec3436b219b55fb74ad9ea80961774df8", "nginx": "sha256:38072713437b4d6f6551de66353b993deb70b75fc27f06c1c707a0aa36dbe4a7", "migration": "sha256:80e99fb87e90e2f3f8885f99beaffb87afc11d3624c8a4aa615c870e054aa49e", "assets": "sha256:ab108e5f2644ac091cfab9411dc12332cec9f229709e71b1e2de35b5a3a6a5d9", "ruleset": "sha256:ffd475cb341673fcd7a4d09bc2b764b050e1c9eea0977d002aff8a6b737a353e", "runtime": "sha256:5fd1e1035790e7af16c7bcc423f862d5ad55e8ba1e4efaf933e6468a3d1c2ada"}}}'
  • Wait for the DataStage operator reconciliation to complete
  oc get datastage datastage -o yaml -n <cpd_instance_namespace>

It can take 15 - 20 minutes for the command to complete and the datastage-ibm-datastage-runtime pod to be up and running with the patched image.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

01 Sep 2022: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEB46","label":"IBM DataStage Enterprise Cartridge for IBM Cloud Pak for Data"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"4.0.6 to 4.5.2","Edition":"DataStage Enterprise, DataStage Enterprise Plus, Information Server for Cloud Pak for Data ","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
02 September 2022

UID

ibm16618039

Page Feedback