Security Bulletin: XXE and XmlBomb vulnerability in FileNet Workplace (CVE-2016-3055)

Summary

FileNet Workplace is susceptible to the XXE and XmlBomb vulnerability.

Vulnerability Details

Relevant CVE Information: CVEID: CVE-2016-3055**
DESCRIPTION:** IBM FileNet Workplace is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114754 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

FileNet Workplace 4.0.2

Remediation/Fixes

Download FileNet Workplace 4.0.2.14 LA012 (4.0.2.14-P8AE-LA012) from IBM Fix Central.

Here is a direct link to the fix http://www.ibm.com/support/fixcentral/swg/quickorder?parent=FileNet%2BProduct%2BFamily&product=ibm/Information+Management/FileNet+Application+Engine&release=4.0.2.*&platform=All&function=fixId&fixids=4.0.2.14-P8AE-LA012%3A+450332LA012&includeSupersedes=0&source=fc

Installation instructions are included with the LA fix.

Workarounds and Mitigations

None.