Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2021-20492)

Summary

There is an XML External Entity Injection (XXE) vulnerablility in IBM WebSphere Application Server Liberty used in Liberty for Java for IBM Cloud. This does not occur in the default configuration, it occurs when batchManagement-1.0 is configured.

Vulnerability Details

CVEID:CVE-2021-20492
**DESCRIPTION:**IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197793 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

This vulnerability affects all versions of Liberty for Java in IBM Cloud up to and including v3.57.

Remediation/Fixes

To upgrade to Liberty for Java v3.58-20210602-1655 or higher, you must re-stage or re-push your application

To find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:

cf ssh <appname> -c cat “staging_info.yml”

Look for the following lines:

{“detected_buildpack”:“Liberty for Java™ (WAR, liberty-21.0.0_3, buildpack-v3.57-20210512-1446, ibmjdk-1.8.0_sr6fp26-20210216, env)“,”start_command”:“.liberty/initial_startup.rb”}

To re-stage your application using the command-line Cloud Foundry client, use the following command:

cf restage <appname>

To re-push your application using the command-line Cloud Foundry client, use the following command:

cf push <appname>

Workarounds and Mitigations

None