Security Bulletin
Summary
A vulnerability in DataStage on Cloud Pak for Data had the potential of exposing database connection details (database names, database user-id, database credential) to authorized users with Cluster Admin role had they performed remote access to running datastage containers that was processing such database connections. This vulnerability has been addressed.
Vulnerability Details
CVEID: CVE-2022-38714
DESCRIPTION: IBM DataStage on Cloud Pak for Data stores sensitive credential information that can be read by a privileged user.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235060 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
Affected Product(s) | Version(s) |
DataStage on Cloud Pak for Data | All |
Remediation/Fixes
A project administrator must install this patch to fix issues with the datastage-ibm-datastage-runtime service in DataStage Version 4.5.2.
Procedure
Air Gapped EnvironmentIn an air-gapped environment, proceed with the following steps:
- Log in to the OpenShift console as the cluster admin.
- Prepare the authentication credentials to access the IBM production repository. Use the same auth.json file used for CASE download and image mirroring. For example:
${PROJECT_CPD_INSTANCE}/.airgap/auth.json
Or create an auth.json file that contains credentials to access cp.icr.io and your local private registry. For example:
For more information about the auth.json file, see containers-auth.json - syntax for the registry authentication file.{ "auths": { "cp.icr.io":{"email":"unused","auth":"<base64 encoded id:apikey>"}, "<private registry hostname>":{"email":"unused","auth":"<base64 encoded id:password>"} } }
- Install skopeo by running:
yum install skopeo
- To confirm the path for the local private registry to copy the patch image, run the following command:
oc describe pod <datastage-ibm-datastage-runtime pod> -n <cpd_instance_namespace> | grep -i "image:"
For example:
oc describe pod datastage-ibm-datastage-runtime-857bc54b4-qcdgx -n <cpd_instance_namespace> | grep -i "image:"
Image: cp.icr.io/cp/cpd/ds-runtime@sha256:5fd1e1035790e7af16c7bcc423f862d5ad55e8ba1e4efaf933e6468a3d1c2ada
- To get the local private registry source details, run the following commands:
oc get imageContentSourcePolicy
oc describe imageContentSourcePolicy [cloud-pak-for-data-mirror]
The local private registry mirror repository and path details should be in the output of the describe command:
- mirrors:
- ${PRIVATE_REGISTRY_LOCATION}/cp/cpd
source: cp.icr.io/cp/cpd
For more information about mirroring of images, see Configuring your cluster to pull Cloud Pak for Data images.
- Use the skopeo command to copy the patch images from the IBM production registry (cp.icr.io/cp/cpd registry) to the local private registry. Using the appropriate auth.json file, copy the patch images from the IBM production registry to the Openshift cluster registry:
skopeo copy docker://cp.icr.io/cp/cpd/ds-runtime:452.0.11 docker://<private registry>/cp/cpd/ds-runtime:452.0.11 --authfile "<folder path>/auth.json"
- Run the following command to apply the patch to the DataStage custom resource (datastage):
oc patch datastage datastage -n <cpd_instance_namespace> --type merge -p '{"spec":{"image_digests":{"canvas":"sha256:01dc73b23ad6eac8196ea1fc4d9ccd8d3e8b7c6d7b6b7144b605bc1dfb9983a1","caslite":"sha256:1adde097d2a2998d844b301b4165e2811bf61d2971d51b2b16b58a5ccef34849", "codegen":"sha256:1b717ef32d600d11cbc83c81e8fd6f65ef1be259e69ef05a52e2abcfaae12ff9", "flows": "sha256:d6bf09409324226aa7afa7ba47466c9ec3436b219b55fb74ad9ea80961774df8", "nginx": "sha256:38072713437b4d6f6551de66353b993deb70b75fc27f06c1c707a0aa36dbe4a7", "migration": "sha256:80e99fb87e90e2f3f8885f99beaffb87afc11d3624c8a4aa615c870e054aa49e", "assets": "sha256:ab108e5f2644ac091cfab9411dc12332cec9f229709e71b1e2de35b5a3a6a5d9", "ruleset": "sha256:ffd475cb341673fcd7a4d09bc2b764b050e1c9eea0977d002aff8a6b737a353e", "runtime": "sha256:5fd1e1035790e7af16c7bcc423f862d5ad55e8ba1e4efaf933e6468a3d1c2ada"}}}'
- Wait for the DataStage operator reconciliation to complete
oc get datastage datastage -o yaml -n <cpd_instance_namespace>
It can take 15 - 20 minutes for the command to complete and the datastage-ibm-datastage-runtime pod to be up and running with the patched image.
Non-Air Gapped Environment
In an non-air-gapped environment, (i.e. using the online IBM entitled registry), proceed with the following steps:
- Run the following command to apply the patch to the DataStage custom resource (datastage):
oc patch datastage datastage -n <cpd_instance_namespace> --type merge -p '{"spec":{"image_digests":{"canvas":"sha256:01dc73b23ad6eac8196ea1fc4d9ccd8d3e8b7c6d7b6b7144b605bc1dfb9983a1","caslite":"sha256:1adde097d2a2998d844b301b4165e2811bf61d2971d51b2b16b58a5ccef34849", "codegen":"sha256:1b717ef32d600d11cbc83c81e8fd6f65ef1be259e69ef05a52e2abcfaae12ff9", "flows": "sha256:d6bf09409324226aa7afa7ba47466c9ec3436b219b55fb74ad9ea80961774df8", "nginx": "sha256:38072713437b4d6f6551de66353b993deb70b75fc27f06c1c707a0aa36dbe4a7", "migration": "sha256:80e99fb87e90e2f3f8885f99beaffb87afc11d3624c8a4aa615c870e054aa49e", "assets": "sha256:ab108e5f2644ac091cfab9411dc12332cec9f229709e71b1e2de35b5a3a6a5d9", "ruleset": "sha256:ffd475cb341673fcd7a4d09bc2b764b050e1c9eea0977d002aff8a6b737a353e", "runtime": "sha256:5fd1e1035790e7af16c7bcc423f862d5ad55e8ba1e4efaf933e6468a3d1c2ada"}}}'
- Wait for the DataStage operator reconciliation to complete
oc get datastage datastage -o yaml -n <cpd_instance_namespace>
It can take 15 - 20 minutes for the command to complete and the datastage-ibm-datastage-runtime pod to be up and running with the patched image.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
01 Sep 2022: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
02 September 2022
UID
ibm16618039