IBM DataStage on Cloud Pak for Data is vulnerable to an unrestricted file upload flaw that allows authenticated users to execute remote commands and compromise sensitive data.

This vulnerability is caused by a failure to properly validate or restrict files uploaded to the system. An authenticated user can upload malicious scripts or binaries which, when executed by the server, allow for arbitrary command execution (RCE) within the context of the application.

A successful exploit could lead to a complete compromise of the DataStage environment, allowing an attacker to steal sensitive data, modify data pipelines, or move laterally within the Cloud Pak for Data cluster. The CVSS score of 8.8 reflects the high potential for significant operational disruption and data loss.

Immediate Action: Update IBM DataStage on Cloud Pak for Data to the latest version as specified in the IBM security advisory to implement proper file validation.

Proactive Monitoring: Scan the file system for suspicious uploads or web shells and monitor for unusual child processes originating from the DataStage application service.

Compensating Controls: Enforce strict "least privilege" access controls to ensure only highly trusted users have upload permissions and utilize file integrity monitoring (FIM) on application directories.

Public Exploit Available: false

The ability for an authenticated user to achieve Remote Code Execution (RCE) through file uploads is a critical security failure. It is highly recommended that administrators apply the IBM security updates immediately to protect sensitive data assets and maintain the integrity of the Cloud Pak for Data environment.