The DataStage developers of the customer HUK-COBURG use the Hierarchical Data Stage in their jobs, in which an assembly editor based on the Adobe Flash Player is used.
Support for the Adobe Flash Player has been discontinued since December 31, 2020 and Microsoft has provided the update "KB4577586: Update for the removal of Adobe Flash Player: October 27, 2020" to remove it from Windows computers. The end of support for the Adobe Flash Player at the end of 2020 has been publicly announced by Adobe since mid-2017.
Without the Adobe Flash Player, the Assembly Editor cannot be used in the Hierarchical Data Stage. Therefore, IBM has developed the DataStage Flow Designer (DFD) to take over the functionality of the Assembly Editor. Unfortunately, the functionality of the DataStage Flow Designer in the current version 11.7.1.1 is not complete. So some of the functionality used by developers in the Assembly Editor is not included in DataStage Flow Designer (The exact problem - see below *1). IBM initially communicated here that DataStage Flow Designer should be further developed to fully incorporate this functionality. However, IBM is now not further developing the DataStage Flow Designer for the current Information Server version 11.7.1.1 and promises full functionality only with the Cloud Pack for Data (CP4D) version. According to the current status, HUK-COBURG is planning to switch to the CP4D version in early-mid 2024 (before the regular support end of the software product).
In order to be able to continue using the Assembly Editor in the Hierarchical Data Stage without the Adobe Flash Player, IBM has now made the HARMAN Plugin available free of charge until January 31, 2022. This plugin, which is based on the Adobe Flash Player, will continue to be supported by HARMAN, but cannot close the system-related security gaps of Flash.
HUK-COBURG has installed the HARMAN plug-in on a test terminal server. Since the plug-in uses components of the Internet Explorer, the add-on "Shockwave Flash Object" from HARMAN must be activated so that the Assembly Editor of the Hierarchical Data Stage can be used. To increase the security of the add-on's usability, it could be restricted to the web pages of Information Server. However, since standard users of Internet Explorer can change this again, this does not provide any additional security.
After enquiries in the HUK-COBURG IT security department, we were informed that the use of the HARMAN solution can only be a temporary solution. Assumption of risk for the use of the HARMAN solution until February 2022 may be justifiable (for further information, see below *2). According to the HUK-COBURG IT security department, the HARMAN software component will not be used beyond February 2022 in any case, so that alternatives must be found for the period from February 2022 to the beginning/middle of 2024.
And the impact of the Hierarchical Data Stage for HUK-COBURG according to information from the developers concerned (See below *3).
*1 ) Problem of the HUK COBURG developers with the Flow Designer:
When using the DataStage Flow Designer, the functionality is missing that a string set can be selected in the menu under Hierarchical Data Stage - Assembly Editor - 2. XML_Parser.
Unfortunately, only a single XML file can be selected here. In the previous use of the Hierarchical Data Stage with the Assembly Editor from the DataStage Designer, this is possible.
The goal is to extract a single column from an XML string with the XML parser. If you have loaded the corresponding XSD into the library and then configure the step with the XML parser, you have no way to select that. The input for the parser step should be a column from the input link. In the Flow Designer, no way was found to configure a column within the stream for the source in the Parser Step as before. As already mentioned, only the selection of a single file is offered.
*2 ) Statement of the HUK-COBURG IT security department on the use of the HARMAN plug-in:
The HUK-IT security department sees the following problem points:
Even the HARMAN solution does not close the inherent Flash vulnerabilities, which means that HUK-COBURG is still exposed to them.
Regardless of which Flash plug-in is used, we are working with outdated technology that is not supported worldwide and is therefore effectively "dead".
Regulatory provisions prohibit us from working with such technology (state of the art must be complied with - VAIT and KRITIS requirements).
The permissibility of assuming risk is also questionable, as the regulatory provisions prohibit assuming a risk if there are suitable measures according to the state of the art that are appropriate. A supervisory authority may conclude that a company with the turnover of HUK-COBURG can be expected to look for an alternative solution.
This means that the use of the HARMAN solution can only be a temporary solution. It should be replaced promptly in such a way that the need for flash is eliminated. If the manufacturer (in this case IBM) cannot/will not do this, they should be informed that they are violating German regulations and that we must report this to the supervisory authorities (BaFin, BSI) in order to announce the continued, knowing operation of an unsafe "stone age technology".
From this follows: an assumption of risk for the use of the HARMAN solution until February 2022 may be justifiable. Beyond that, the problems mentioned above take effect.
It is hard to believe that a third party can do what Adobe has failed to do for years: Namely, to clean up the juggernaut called Flash from all security gaps, including design errors.
HUK-COBURG IT-Security assumes that there will be updates, but these will relate more to the applications of the third-party provider or perhaps even IBM. But the Flash problems will remain. Therefore, from a security point of view, Flash is not sustainable in the long term and must be eliminated as soon as possible.
*3) Impact of the Hierarchical Data Stage for HUK-COBURG according to information from the developers concerned:
If the Hierarchical Data Stage based on Flash techniques (whatever they may be) no longer works and the stage in the DFD is not usable, then we will have serious productive effects that are equivalent to a production stoppage:
- PKC Process Key Figure Cockpit / Real Time (very important critical application), processes billions of XML data records daily, no changes / bug fixes to existing processing routes would be possible, no new developments based on XML with the Hierarchical Stage would be possible, is equivalent to a production stoppage, would initially mean a development stop, the complete application would have to be re-implemented with a different technology.
- Offer controlling, processing of XML with the Hierarchical Data Stage, effects as with all others.
- VTP selections / sales portal, see above.
- ZEV ...
Hi Martin, thank for taking the time to provide these details. We will reach out to you and the team to discuss further.