Security Bulletin: InfoSphere Information Server is vulnerable to XML External Entity Injection (XXE) (CVE-2016-6059)

Summary

IBM InfoSphere Information Server is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data.

Vulnerability Details

CVEID: CVE-2016-6059 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117232 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM Information Server Framework: versions 11.3, and 11.5
IBM InfoSphere DataStage Hierarchical Data stage: versions 11.3, and 11.5
IBM InfoSphere Information Server on Cloud: version 11.5

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
InfoSphere Information Server, DataStage Hierarchical Data stage, Information Server on Cloud| 11.5| JR56569| --Apply IBM InfoSphere Information Server version 11.5.0.1
--Apply IBM InfoSphere Information Server Framework Security patch
--Apply IBM InfoSphere DataStage Hierarchical Data Stage Connector Security patch
InfoSphere Information Server, DataStage Hierarchical Data stage| 11.3| JR56569| --Apply IBM InfoSphere Information Server version _11.3.1.2 _
--Apply IBM InfoSphere Information Server Framework Security patch
--Apply IBM InfoSphere DataStage Hierarchical Data Stage Connector Security patch

Workarounds and Mitigations

None