Security Bulletin: Information disclosure in WebSphere Application Server Liberty (CVE-2013-6440)

Summary

There is an information disclosure due to an XML external entity (XXE) vulnerability when using the OpenSAML features in WebSphere Application Server Liberty.

Vulnerability Details

CVEID: CVE-2013-6440**
DESCRIPTION:** OpenSAML could allow a remote authenticated attacker to obtain sensitive information, caused by an error when parsing XML entities. By persuading a victim to open a specially-crafted XML document containing external entity references, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89714 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

• Liberty using samlWeb-2.0 feature
• Liberty using wsSecuritySaml-1.1 feature

Remediation/Fixes

The recommended solution is to apply the interim fix or Fix Pack contain APAR PI89102 for each named product as soon as practical.**

For WebSphere Application Server Liberty using the OpenSAML features:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI89103
--OR–
· Apply Liberty Fix Pack 17.0.0.4 or later.