Security Bulletin: Lack of path restriction may allow access to sensitive data stored on Information Server Engine (CVE-2012-4818)
CVE ID: CVE-2012-4818
Whenever an Information Server client application such as InfoSphere DataStage and QualityStage Designer allows browse access to file system objects on an engine system, users are permitted to browse to locations based on the rights of the operating system user that is associated with their Information Server user. If this is not correctly configured, then users may be able to gain access to data that they are not entitled to.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78651 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
InfoSphere DataStage 8.7
InfoSphere QualityStage 8.7
InfoSphere Information Analyzer 8.7
InfoSphere DataStage 8.5
InfoSphere QualityStage 8.5
InfoSphere Information Analyzer 8.5
InfoSphere DataStage 8.1
InfoSphere QualityStage 8.1
InfoSphere Information Analyzer 8.1
When you log in to a client application, you specify an Information Server user name. This name is then mapped to a Windows or Unix user for each registered server engine, as defined in the Information Server Administration screens.
Which user this is depends on whether the Information Server system is configured to use a shared external user registry, or whether it uses the internal registry. The internal registry always defines specific operating system user names to be used for credential mapping. If an external registry is used, the system may be configured to specify different user names for credential mapping internally, rather than sharing the external user names. The file system permissions of the server system are honored, so access to file system structures is determined by the operating system user that the Information Server user name maps to (this will be the same user name if an external registry is configured) . So if the mapped user has rights to list a directory, then its contents will be visible in the client application. If that user has rights to read a file, then its contents will be readable on the client - for example in the sequential file importer tool within the InfoSphere DataStage and QualityStage Designer client application. If the mapped operating system user does not have permission, then either the file will not be visible in the directory, or various errors will be returned when opening it.
The processes running on the engine system therefore rely on file permissions on that system being carefully set up with regard to what users will be invoked from clients. Administrators need to consider what users should and should not be allowed to see, and if necessary map the Information Server users to specific operating system users if they are to have separate browsing restrictions, particularly where an internal user registry is configured.
The following InfoSphere Information Server Information Center links describe Engine tier security configuration in more detail:
- November 2012: Initial version
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.