An XML External Entity Injection (XXE) vulnerability in InfoSphere Information Server Manager can potentially be used by an attacker to retrieve sensitive documents.
Information Server Manager has a bulk import feature to help users import lists of Source Control Module (SCM) websites or user names.
Use case examples for the bulk load feature are:
- Multiple users want to use the SCM and there are three or more sites that need to be added.
- DataStage version upgrades (i.e. version 11.3 to version 11.5)
IBM Information Server Manager uses XML format for export and import of the SCM web site name and the links. Information Server Manager also allows the same information to be keyed in manually into the Add Available Software Sites dialog.
There is a potential vulnerability when importing the website list using XML import.
CVEID: CVE-2018-1727
DESCRIPTION: IBM InfoSphere Information Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147630> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: versions 9.1, 11.3, 11.5, and 11.7
IBM InfoSphere Information Server on Cloud: versions 11.5, and 11.7
None
For all releases of Information Server Manager:
ā¢ Avoid using the XML import option. Instead, use the ADD button to add site and link functionality information where possible.
ā¢ If XML format has to be used for import, manually check the XML file before importing the file to determine if there is a DTD / DOCTYPE section or any other section apart from SITE tag. DTD sections are not required in XML files used with Information Server Manager, and if present, they can be safely removed before importing. IBM recommends manually checking the XML file content before importing the file. If there is a DTD / DOCTYPE section, verify its contents for any unexpected content.
Sample XML for import:
<?xml version=ā1.0ā encoding=āUTF-8ā?>
<bookmarks>
<site url=ā<http://dl.microsoft.com/eclipse/tfs>ā selected=ātrueā name=āTFS_Microsoftā/>
</bookmarks>