Security Bulletin: iText.jar in Tom Sawyer Perspective is vulnerable to XML External Entity

Summary

iText.jar in Tom Sawyer Perspective is vulnerable to XML External Entity used by IBM Tivoli Network Manager (ITNM) IP Edition.

Vulnerability Details

CVEID:CVE-2017-9096
**DESCRIPTION:**iText PDF Library could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By using a specially-crafted XML file. A remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/134520 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now using the steps provided in the workaround section.

Workarounds and Mitigations

To fix the vulnerability, complete the following steps.
o Take a backup of the $NMGUIHOME/precision_gui/lib/shared_jars/iText.jar file.
o Remove the iText.jar file from the shared_jars directory.
Completing these steps disables the PDF option in the “Save As Image” dialog in Topoviz. You can still select PDF as an output format, but no file is generated. You can generate a PDF by using the browser’s print function, or the Print button on the Topoviz toolbar, but these methods do not have the extra options that are present in the Save As Image dialog.