Security Bulletin: A vulnerability in XML processing affects IBM DataPower Gateways (CVE-2015-1819)

Summary

IBM DataPower Gateways has addressed a vulnerability in parsing certain XML files that could cause a denial of service.

Vulnerability Details

CVEID: CVE-2015-1819**
DESCRIPTION:** Libxml is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error in the xmlreader when processing XML data. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107272 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM DataPower Gateway appliances versions 7.2.0.0, 7.2.0.1 and 7.2.0.2

Remediation/Fixes

Fix is available in version 7.2.0.3. Refer to APAR IT12605 for URLs to download the fix.

You should verify applying this fix does not cause any compatibility issues.

_For DataPower customers using versions 5.x and earlier versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product. _

Workarounds and Mitigations

None.