Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE)

Security Bulletin

Summary

An XML External Entity Injection (XXE) vulnerability in InfoSphere Information Server Manager can potentially be used by an attacker to retrieve sensitive documents.

Information Server Manager has a bulk import feature to help users import lists of Source Control Module (SCM) websites or user names.
Use case examples for the bulk load feature are:
- Multiple users want to use the SCM and there are three or more sites that need to be added.
- DataStage version upgrades (i.e. version 11.3 to version 11.5)
IBM Information Server Manager uses XML format for export and import of the SCM web site name and the links. Information Server Manager also allows the same information to be keyed in manually into the Add Available Software Sites dialog.

There is a potential vulnerability when importing the website list using XML import.

Vulnerability Details

CVEID: CVE-2018-1727
DESCRIPTION: IBM InfoSphere Information Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/147630 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: versions 9.1, 11.3, 11.5, and 11.7
IBM InfoSphere Information Server on Cloud: versions 11.5, and 11.7

Remediation/Fixes

None

Workarounds and Mitigations

For all releases of Information Server Manager:

• Avoid using the XML import option. Instead, use the ADD button to add site and link functionality information where possible.

• If XML format has to be used for import, manually check the XML file before importing the file to determine if there is a DTD / DOCTYPE section or any other section apart from SITE tag. DTD sections are not required in XML files used with Information Server Manager, and if present, they can be safely removed before importing. IBM recommends manually checking the XML file content before importing the file. If there is a DTD / DOCTYPE section, verify its contents for any unexpected content.

Sample XML for import:

    <?xml version="1.0" encoding="UTF-8"?>
    <bookmarks>
              <site url="http://dl.microsoft.com/eclipse/tfs" selected="true" name="TFS_Microsoft"/>
    </bookmarks>

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Acknowledgement

This vulnerability was reported to IBM by Jakub Palaczynski.

Change History

08 October 2018: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

PSIRT 118654

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.1;11.3;11.5;11.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Tips

Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE)