Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM16C0E4D5F297B3737FA644EEB8E33EC9FA8961C91038A9658D4955342CECF993
HistoryDec 19, 2018 - 2:45 p.m.

Security Bulletin: IBM Operational Decision Manager is affected by CVE-2018-1821 vulnerability

2018-12-1914:45:01
www.ibm.com
6

0.044 Low

EPSS

Percentile

92.5%

JSON

Summary

IBM Operational Decision Manager has addressed the vulnerability CVE-2018-1821

Vulnerability Details

CVEID:CVE-2018-1821
**DESCRIPTION:*IBM Operational Decision Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/150170 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

  • IBM Operational Decision Manager v8.6
  • IBM Operational Decision Manager v8.7
  • IBM Operational Decision Manager v8.8
  • IBM Operational Decision Manager v8.9

Remediation/Fixes

Select the following interim fix to upgrade your installation of ODM based on your version of the product:

Interim fix for APAR RS03231 and RS03192 is available from IBM Fix Central:

IBM Operational Decision Manager v8.6: **8.6.0.3-WS-ODM_DS-**IF035

IBM Operational Decision Manager v8.7: **8.7.1.2-WS-ODM_DS-**IF079

IBM Operational Decision Manager v8.8: **8.8.1.3-WS-ODM_DS-**IF090

IBM Operational Decision Manager v8.9: **8.9.2.1-WS-ODM_DS-**IF004

For IBM WebSphere Operational Decision Management v7.1, v7.5, v8.0, v8.5 IBM recommends upgrading to a fixed supported version.

Workarounds and Mitigations

For v8.6 and v8.7 a context parameter has been added to HTDS Application descriptor to prevent vulnerability in the validation feature with JDK 1.6:
Edit the web.xml in the HTDS WAR file to change the property DisableInsecureXMLValidation as needed

<!-- Specify whether XML validation of requests is enabled for Java versions lower than 1.7.0
Possible values are : true, false
true : XML validation is disabled when Java version is before 1.7.0
false : XML validation is enabled, for all Java versions
-->
<context-param>
<param-name>DisableInsecureXMLValidation</param-name>
<param-value>false</param-value>
</context-param>

Related

cve 1
checkpoint_advisories 1
cvelist 1
zdt 1
nvd 1
exploitpack 1
packetstorm 1
prion 1
exploitdb 1
cve
cve
CVE-2018-1821
2018-12-13 16:29:01
checkpoint_advisories
checkpoint_advisories
IBM Operational Decision Manager External Entity Injection (CVE-2018-1821)
2018-12-25 00:00:00
cvelist
cvelist
CVE-2018-1821
2018-12-12 00:00:00
zdt
zdt
IBM Operational Decision Manager 8.x - XML External Entity Injection
2018-12-19 00:00:00
nvd
nvd
CVE-2018-1821
2018-12-13 16:29:01
exploitpack
exploitpack
IBM Operational Decision Manager 8.x - XML External Entity Injection
2018-12-19 00:00:00
packetstorm
packetstorm
IBM Operational Decision Manager 8.x XML Injection
2018-12-19 00:00:00
prion
prion
Xxe
2018-12-13 16:29:00
exploitdb
exploitdb
IBM Operational Decision Manager 8.x - XML External Entity Injection
2018-12-19 00:00:00

0.044 Low

EPSS

Percentile

92.5%

JSON
Related for 16C0E4D5F297B3737FA644EEB8E33EC9FA8961C91038A9658D4955342CECF993
cve1checkpoint_advisories1cvelist1zdt1nvd1exploitpack1packetstorm1prion1exploitdb1