Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM8A2B5A7B04368052AE2852BFAAEF32BD9474745F662CAE9D4C21966E6C6B1FFC
HistoryMar 23, 2020 - 8:41 p.m.

Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by denial of service vulnerability (CVE-2014-8901)

2020-03-2320:41:52
www.ibm.com
7

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

JSON

Summary

WebSphere Message Broker and IBM Integration Bus are affected by denial of service vulnerability. Pattern matching while validating a specially crafted XML document causes XML4C to consume 100% CPU

Vulnerability Details

CVEID: CVE-2014-8901**
DESCRIPTION:** IBM XML4J and XML4C libraries contain a denial of service vulnerability when loading specially crafted content. This causes the CPU to consume 100% of available resources and creates serious performance degradation to the system.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99110 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)

Affected Products and Versions

WebSphere Message Broker V8

IBM Integration Bus V9 and V10

Remediation/Fixes

Product

| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus| V10| IT07064| An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=IT07064

The APAR is targeted to be available in fix pack 10.0.0.4
IBM Integration Bus| V9| IT07064| An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=IT07064

The APAR is targeted to be available in fix pack 9.0.0.6
WebSphere Message Broker
| V8
| IT07064 | An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT07064

The APAR is targeted to be available in fix pack 8.0.0.7

To mitigate the vulnerability, after an interim fix or fixpack containing IT07064 is applied you must set the following environment variable to disable the use of regular expressions by the MRM parser before starting the broker or integration node:

MQSI_DISABLE_REGEX_IN_XML4C=yes

For unsupported versions of the product IBM recommends upgrading to a fixed, supported version/release/platform of the product.

The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :

http://www.ibm.com/support/docview.wss?uid=swg27006308

Workarounds and Mitigations

None known

Related

ibm 3
cve 1
prion 1
openvas 1
nessus 4
ibm
ibm
Security Bulletin: IBM® DB2® XML Query Will Cause Excessive CPU Usage (CVE-2014-8901)
2018-06-16 13:08:42
Security Bulletin: Multiple IBM InfoSphere Information Server components are affected by a vulnerability in the XML4C parser (CVE-2014-8901)
2018-06-16 14:07:35
Security Bulletin: Vulnerabilities in IBM DB2 for Linux, UNIX, and Windows affects IBM PureData System for Transactions (CVE-2014-6209, CVE-2014-6210, CVE-2014-8901)
2018-06-16 13:58:15
cve
cve
CVE-2014-8901
2014-12-18 16:59:00
prion
prion
Design/Logic Flaw
2014-12-18 16:59:00
openvas
openvas
IBM Db2 Multiple Denial of Service Vulnerabilities
2015-01-08 00:00:00
nessus
nessus
IBM DB2 10.5 < Fix Pack 5 Multiple DoS Vulnerabilities
2015-04-16 00:00:00
IBM DB2 10.1 < Fix Pack 5 Multiple Vulnerabilities (Bar Mitzvah)
2016-04-15 00:00:00
IBM DB2 9.7 < Fix Pack 11 Multiple Vulnerabilities (Bar Mitzvah) (FREAK) (TLS POODLE)
2015-07-18 00:00:00

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

JSON
Related for 8A2B5A7B04368052AE2852BFAAEF32BD9474745F662CAE9D4C21966E6C6B1FFC
ibm3cve1prion1openvas1nessus4