IBMA3FA4D9C192A023801E9B6B6F8D3AA16FEBC838FBECA66CEB2413B967D1EC166Security Bulletin: Vulnerability in Apache POI affects IBM Maximo Asset Management (CVE-2017-5644)
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
Summary
Apache POI used by IBM Maximo Asset Management is vulnerable to a denial of service, cause by an XML External Entity Injection (XXE) error when processing XML data. By using a specially-crafted OOXML file, a remote attacker could exploit this vulnerability to consume all available CPU resources.
Vulnerability Details
CVEID: CVE-2017-5644**
DESCRIPTION:** Apache POI is vulnerable to a denial of service, cause by an XML External Entity Injection (XXE) error when processing XML data. By using a specially-crafted OOXML file, a remote attacker could exploit this vulnerability to consume all available CPU resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123699 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
The following Apache POI versions are affected:
- Apache POI 3.14 and earlier releases
IBM supplied Apache POI with the following:
The 7.5.0.x and 7.6.0.x versions of Maximo Asset Management bundled Apache POI 3.7, 3.8, and 3.14.
This vulnerability affects the following versions of the IBM Maximo Asset Management core product, and all other IBM Maximo Industry Solution and IBM Control Desk products, regardless of their own version, if they are currently installed on top of an affected IBM Maximo Asset Management. *
Maximo Asset Management core product affected versions:
Maximo Asset Management 7.6, 7.5
Maximo Asset Management Essentials 7.5
Industry Solutions products affected if using an affected core version:
Maximo for Aviation
Maximo for Government
Maximo for Life Sciences
Maximo for Nuclear Power
Maximo for Oil and Gas
Maximo for Transportation
Maximo for Utilities
IBM Control Desk products affected if using an affected core version:
SmartCloud Control Desk
IBM Control Desk
Tivoli Integration Composer
- To determine the core product version, log in and view System Information. The core product version is the โTivoliโs process automation engineโ version. Please consult the Product Coexistence Matrix for a list of supported product combinations.
Remediation/Fixes
The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the โreadmeโ documentation provided with each fix pack or interim fix.
For Maximo Asset Management 7.6, 7.5:
| VRM | Fix Pack, Feature Pack, or Interim Fix | **Download ** |
|---|---|---|
| 7.6.0 | Maximo 7.6.0.8 Interim Fix: | |
| 7.6.0.8-TIV-MBS-IFIX002 or latest Interim Fix available | FixCentral | |
| 7.5.0 | Maximo 7.5.0.11 Interim Fix: | |
| 7.5.0.11-TIV-MBS-IFIX008 or latest Interim Fix available | FixCentral |
Workarounds and Mitigations
None
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C