Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are affected by vulnerabilities in Apache Xerces-C 3.0.0 to 3.2.2 XML parser (CVE-2018-1311)

2021-01-2005:30:39

www.ibm.com

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

Summary

Vulnerabilities in Apache Xerces-C 3.0.0 to 3.2.2 XML parser affect IBM Integration Bus and IBM App Connect Enterprise . IBM App Connect Enterprise and IBM Integration Bus have addressed the applicable CVEs

Vulnerability Details

CVEID:CVE-2018-1311
**DESCRIPTION:**Apache Xerces-C could allow a remote attacker to execute arbitrary code on the system, caused by an use-after-free error during the scanning of external DTDs. By sending a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM App Connect V11.0.0.0 - V11.0.0.10

IBM Integration Bus V10.0.0.0 -V10.0.0.22

IBM Integration Bus V9.0.0.0 - V9.0.0.11

Remediation/Fixes

Product

VRMF

| APAR|

Remediation / Fix

—|—|—|—
IBM App Connect| V11.0.0.0-V11.0.0.10| IT35230| Interim fix for APAR IT35230 available on IBM Fix Central.

IBM Integration Bus| V10.0.0.0 - V10.0.0.22| IT35230| Interim fix for APAR IT35230 available on IBM Fix Central.
IBM Integration Bus| V9.0.0.0 - V9.0.0.11| IT35230| Interim fix for APAR IT35230 available onIBM Fix Central.