Security Bulletin: Jazz for Service Management is affected by Open Source Apache ActiveMQ vulnerability - Reported in 02/05/2015 X-Force Report

Summary

Jazz for Service Management (JazzSM) bundles the Open Source Apache ActiveMQ jar files for use by the underlying DASH/TWL Component and a vulnerability was reported related to the jar used

Vulnerability Details

CVEID: CVE-2014-3600**
DESCRIPTION:** Apache ActiveMQ could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending specially-crafted XML data to specify an XPath based selector, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100722&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Jazz for Service Management v1.1.0.3

Jazz for Service Management v1.1.1.0

Jazz for Service Management v1.1.2.0 has the vulnerability fixed version of the jar file

Remediation/Fixes

All the fixes are available in IBM Fix Central
For 1.1.0.3 - refer to 1.1.0.3-TIV-JazzSM-DASH-Cumulative-Patch-0001
For 1.1.1.0 - refer to 1.1.1.0-TIV-JazzSM-DASH-Cumulative-Patch-0002

Workarounds and Mitigations

None known; Apply the fixes provided