Security Bulletin: A vulnerability in Apache Xerces-C XML Parser library affects IBM Tivoli Composite Application Manager for Transactions (CVE-2016-4463)

Summary

Apache Xerces-C XML Parser library is vulnerable to a denial of service, caused by a stack-based buffer overflow when parsing a deeply nested DTD. A remote attacker could exploit this vulnerability to cause a denial of service.

Vulnerability Details

CVEID: CVE-2016-4463**
DESCRIPTION:** Apache Xerces-C XML Parser library is vulnerable to a denial of service, caused by a stack-based buffer overflow when parsing a deeply nested DTD. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114596 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Tivoli Composite Application Manager (ITCAM) for Transactions : Versions 7.4 is affected

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
IBM Tivoli Composite Application Manager for Transactions (Internet Service Monitoring) | 7.4|
| <http://www-01.ibm.com/support/docview.wss?uid=isg400003217&gt;
IBM Tivoli Composite Application Manager for Transactions (Response Time)| 7.4|
| http://www-01.ibm.com/support/docview.wss?uid=isg400003070
IBM Tivoli Composite Application Manager for Transactions (Transaction Tracking)| 7.4|
| http://www-01.ibm.com/support/docview.wss?uid=isg400003496

Workarounds and Mitigations

None