Security Bulletin: Multiple vulnerabilities in Spring Framework affect IBM InfoSphere Information Server

Summary

Multiple vulnerabilities in Spring Framework were addressed by IBM InfoSphere Information Server.

Vulnerability Details

CVEID: CVE-2015-5211 DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to download arbitrary files, caused by a reflected file download attack. By using a specially crafted URL with a batch script extension, an attacker could exploit this vulnerability to download a malicious response.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/130673&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2015-3192 DESCRIPTION: Pivotal Spring Framework is vulnerable to a denial of service, caused by the failure to properly process inline DTD declarations when DTD is partially enabled. By persuading a victim to open a specially crafted XML file, a remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/115554&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

The following product, running on all supported platforms, is affected:
IBM InfoSphere Information Server : versions 11.7

Remediation/Fixes

Product

| VRMF | APAR | Remediation/First Fix
—|—|—|—
InfoSphere Information Server, Information Server on Cloud | 11.7 | JR61139 | --Apply IBM InfoSphere Information Server version 11.7.1.0
--Apply IBM InfoSphere Information Server 11.7.1.0 Service Pack 1

Workarounds and Mitigations

None