Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMB942DA0FF85C08F843C0AC3C4F723E30AA7628617FE6D8CBE205AEECD47B9988
HistoryOct 08, 2018 - 7:05 p.m.

Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE)

2018-10-0819:05:01
www.ibm.com
7

0.002 Low

EPSS

Percentile

53.0%

JSON

Summary

An XML External Entity Injection (XXE) vulnerability in InfoSphere Information Server Manager can potentially be used by an attacker to retrieve sensitive documents.

Information Server Manager has a bulk import feature to help users import lists of Source Control Module (SCM) websites or user names.
Use case examples for the bulk load feature are:
- Multiple users want to use the SCM and there are three or more sites that need to be added.
- DataStage version upgrades (i.e. version 11.3 to version 11.5)
IBM Information Server Manager uses XML format for export and import of the SCM web site name and the links. Information Server Manager also allows the same information to be keyed in manually into the Add Available Software Sites dialog.

There is a potential vulnerability when importing the website list using XML import.

Vulnerability Details

CVEID: CVE-2018-1727
DESCRIPTION: IBM InfoSphere Information Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147630&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: versions 9.1, 11.3, 11.5, and 11.7
IBM InfoSphere Information Server on Cloud: versions 11.5, and 11.7

Remediation/Fixes

None

Workarounds and Mitigations

For all releases of Information Server Manager:

ā€¢ Avoid using the XML import option. Instead, use the ADD button to add site and link functionality information where possible.

ā€¢ If XML format has to be used for import, manually check the XML file before importing the file to determine if there is a DTD / DOCTYPE section or any other section apart from SITE tag. DTD sections are not required in XML files used with Information Server Manager, and if present, they can be safely removed before importing. IBM recommends manually checking the XML file content before importing the file. If there is a DTD / DOCTYPE section, verify its contents for any unexpected content.

Sample XML for import:

<?xml version=ā€œ1.0ā€ encoding=ā€œUTF-8ā€?>
<bookmarks>
<site url=ā€œ<http://dl.microsoft.com/eclipse/tfs&gt;ā€ selected=ā€œtrueā€ name=ā€œTFS_Microsoftā€/>
</bookmarks>

Related

cvelist 1
cve 1
nvd 1
prion 1
cvelist
cvelist
CVE-2018-1727
2018-10-08 00:00:00
cve
cve
CVE-2018-1727
2019-02-15 20:29:00
nvd
nvd
CVE-2018-1727
2019-02-15 20:29:00
prion
prion
Xxe
2019-02-15 20:29:00

0.002 Low

EPSS

Percentile

53.0%

JSON
Related for B942DA0FF85C08F843C0AC3C4F723E30AA7628617FE6D8CBE205AEECD47B9988
cvelist1cve1nvd1prion1