IBM Cúram is shipped with a third party library called Castor, which is vulnerable to an XML External Entity Injection (XXE) error.
CVEID: CVE-2014-3004**
DESCRIPTION:** Castor Library could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93519 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
IBM Cúram Social Program Management 4.5
IBM Cúram Social Program Management 5.2
IBM Cúram Social Program Management 6.0.3
IBM Cúram Social Program Management 6.0.4
IBM Cúram Social Program Management 6.0.5
IBM Cúram Social Program Management 6.0. SP2
IBM Cúram Social Program Management 6.0.5.5a
Product
| VRMF| Remediation/First Fix
—|—|—
Cúram SPM| 4.5| See Workaround
Cúram SPM| 5.2| See Workaround
Cúram SPM| 6.0.3| See Workaround
Cúram SPM| 6.0.4| See Workaround
Cúram SPM| 6.0.5| See Workaround or visit IBM Fix Central and upgrade to 6.0.5.8 or a subsequent 6.0.5 release
Cúram SPM| 6.0. SP2| See Workaround
Cúram SPM| 6.0.5.5a| Visit IBM Fix Central and upgrade to 6.0.5.8 or a subsequent 6.0.5 release
It is important to note that normal users cannot exploit this vulnerability. Only a developer or an administrator could actually include malicious content to exploit this.
In order to mitigate against this vulnerability, make the following changes in the “castor.properties” file shipped in the castor.jar file in the CuramSDEJ/lib directory.
The settings can be applied to XML parsers that turn off the feature that converts External XML Entities reference (the root vulnerability in XXE attacks). In Castor these settings have been added to the root configuration file (castor.properties). The following are the settings that are required:
======================================================================
Comma separated list of SAX 2 features that should be enabled
for the default parser.
org.exolab.castor.sax.features=_
_http://apache.org/xml/features/disallow-doctype-decl
Comma separated list of SAX 2 features that should be disabled
for the default parser.
org.exolab.castor.sax.features-to-disable=_
_[http://xml.org/sax/features/external-general-entities,\](<http://ibm.com/>)
[http://xml.org/sax/features/external-parameter-entities,\](<http://ibm.com/>)
http://apache.org/xml/features/nonvalidating/load-external-dtd
==============================================