Security Bulletin: Vulnerability in Apache Taglibs affects IBM InfoSphere Information Server (CVE-2015-0254)

2018-06-1613:41:50

www.ibm.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Summary

An Apache Taglibs vulnerability while processing XML data was addressed by IBM InfoSphere Information Server.

Vulnerability Details

CVEID: CVE-2015-0254**
DESCRIPTION:** Apache Standard Taglibs could allow a remote attacker to execute arbitrary code on the system, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101550 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Products and Versions

The following product, running on all supported platforms, is affected:
IBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, 11.3, and 11.5
IBM InfoSphere Information Server Metadata Workbench: versions 8.7, and 9.1

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
InfoSphere Information Server| 11.5| JR56172| --Apply IBM InfoSphere Information Server version 11.5.0.1
--Apply IBM InfoSphere Information Server Framework Security Patch
InfoSphere Information Server| 11.3| JR56172| --Apply IBM InfoSphere Information Server version _11.3.1.2 _
--Apply IBM InfoSphere Information Server Framework Security Patch
InfoSphere Information Server, Metadata Workbench| 9.1| JR56172
JR56270| --Apply IBM InfoSphere Information Server version 9.1.2.0
--Apply IBM InfoSphere Information Server Framework Security Patch
--Apply IBM InfoSphere Information Server Metadata Workbench Security patch
InfoSphere Information Server, Metadata Workbench| 8.7| JR56172
JR56270| --Apply IBM InfoSphere Information Server version 8.7 Fix Pack 2
--Apply IBM InfoSphere Information Server Framework Security Patch
--Apply IBM InfoSphere Information Server Metadata Workbench Security patch

Note:
1. Some fixes require installing both a fix pack and a subsequent patch. While the fix pack must be installed first, any additional patches required may be installed in any order.
2. For IBM InfoSphere Information Server version 8.5, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm infosphere information servereq9.1
ibm infosphere information servereq8.7
ibm infosphere information servereq8.5
ibm infosphere information servereq11.5
ibm infosphere information servereq11.3
ibm infosphere information servereq9.1
ibm infosphere information servereq8.7
ibm infosphere information servereq8.5
ibm infosphere information servereq11.5
ibm infosphere information servereq11.3

Name	Operator	Version
ibm infosphere information server	eq	9.1
ibm infosphere information server	eq	8.7
ibm infosphere information server	eq	8.5
ibm infosphere information server	eq	11.5
ibm infosphere information server	eq	11.3
ibm infosphere information server	eq	9.1
ibm infosphere information server	eq	8.7
ibm infosphere information server	eq	8.5
ibm infosphere information server	eq	11.5
ibm infosphere information server	eq	11.3