Security Bulletin: Watson Knowledge Catalog InstaScan is vulnerable to an XML External Entity (XXE) Injection vulnerability due to IBM WebSphere Application Server Liberty ( CVE-2021-20492 )

Summary

WebSphere Application Server Java Batch, that was included in Watson Knowledge Catalog InstaScan, is vulnerable to an XML External Entity Injection (XXE) vulnerability. This has been addressed.

Vulnerability Details

CVEID:CVE-2021-20492
**DESCRIPTION:**IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197793 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

Affected Product(s)|**Version(s)
**
—|—
Watson Knowledge Catalog InstaScan| 1.1.0 - 1.1.6

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Note: WebSphere Application Server Java Batch is bundled with Watson Knowledge Catalog InstaScan to provide an application runtime functionality.

In order to upgrade to the 1.1.7 version, please run the following command on the infrastructure node of the OpenShift cluster:

./cpd-cli upgrade --repo <your-repo.yaml> -a wkc-instascan -n <your-name-space> --verbose --accept-all-licenses

Replace <your-repo.yaml> with the name of the repository yaml file and <your-name-space> with the actual OpenShift project name (Kubernetes namespace) where the product is installed.

Workarounds and Mitigations

None.