Security Bulletin: Vulnerability in XML Entity Processsing affects IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x (CVE-2016-8980)

Summary

The product does not disable external XML Entity Processsing which can lead to information disclosure and denial of service attacks.

Vulnerability Details

CVEID: CVE-2016-8980**
DESCRIPTION:** IBM BigFix Inventory v9.x is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118917 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

IBM License Metric Tool v9.x IBM BigFix Inventory v9.x

Remediation/Fixes

Upgrade to version 9.2.6 or later using the following procedure:

• In IBM Endpoint Manager console, expand IBM BigFix InventoryorIBM License Reporting (ILMT) node underSites node in the tree panel.
• Click Fixlets and Tasks node.Fixlets and Tasks panel will be displayed on the right.
• In the Fixlets and Tasks panel locate _Upgrade to the newest version of IBM BigFix Inventory 9.x _or Upgrade to the newest version IBM License Metric Tool 9.x fixlet and run it against the computer that hosts your server.

Workarounds and Mitigations

None