Security Bulletin: XML External Entity (XXE) security vulnerability in InfoSphere Guardium (CVE-2012-3339)

Abstract

XML External Entity (XXE) security vulnerability in InfoSphere Guardium allows remote authenticated users to obtain sensitive information via unspecified vectors.

Content

VULNERABILITY DETAILS:
CVE ID: CVE-2012-3339

DESCRIPTION:
User can get to an error report containing content of a file on the server with database password.

CVSS:
CVSS Base Score: 4.3
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

AFFECTED PLATFORMS:
IBM InfoSphere Guardium 8.2 and earlier

REMEDIATION:
Apply the patch for password disclosure .

As of August 24, 2012, the latest Guardium patches and GPU fixpacks for all versions are available through FixCentral.

The specific fix is found in GPU fixpack for V8.2 - v8.2p100 and higher
Please pick the latest GPU for your version - available on the Fix Central site ** **

REFERENCES:
· On-line Calculator V2
· X-Force Vulnerability Database
· CVE-2012-3312

RELATED INFORMATION:
· IBM Secure Engineering Web Portal
· IBM Product Security Incident Response Blog** **

[{“Product”:{“code”:“SSMPHH”,“label”:“IBM Security Guardium”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“–”,“Platform”:[{“code”:“PF016”,“label”:“Linux”}],“Version”:“8.2;8.0.1;8.0”,“Edition”:“”,“Line of Business”:{“code”:“LOB24”,“label”:“Security Software”}}]