Security Bulletin: Rational Change is affected by vulnerabilities (CVE-2014-5325 and CVE-2014-5326) in Java Open Source Direct Web Remoting library.

Summary

The DOMConverter, JDOMConverter, DOM4JConverter, and XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Cross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerability Details

CVEID**:** CVE-2014-5325 DESCRIPTION:Direct Web Remoting (DWR) could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain local system files and other sensitive information. CVSS Base Score:4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98687&gt; for the current score CVSS Environmental Score:* Undefined CVSS Vector**:** (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-5326 **DESCRIPTION:**Direct Web Remoting (DWR) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. **CVSS Base Score:**4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98686&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Rational Change 5.2.0.8 and earlier

Rational Change 5.3.0.6 and earlier

Rational Change 5.3.1.1 and earlier

Remediation/Fixes

Issue is fixed in Rational Change by upgrading DWR library from version 2.0.3 to version 2.0.11.

Product

|

VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—

Rational Change

|

5.3.0.6

|

None

|

http://www.ibm.com/support/docview.wss?uid=swg24039897

Rational Change

|

5.3.1.1

|

None

|

<http://www.ibm.com/support/docview.wss?uid=swg24038503&gt;

Workarounds and Mitigations

None