IBM Support

Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE)

Security Bulletin


Summary

An XML External Entity Injection (XXE) vulnerability in InfoSphere Information Server Manager can potentially be used by an attacker to retrieve sensitive documents.

Information Server Manager has a bulk import feature to help users import lists of Source Control Module (SCM) websites or user names.
Use case examples for the bulk load feature are:
- Multiple users want to use the SCM and there are three or more sites that need to be added.
- DataStage version upgrades (i.e. version 11.3 to version 11.5)
IBM Information Server Manager uses XML format for export and import of the SCM web site name and the links. Information Server Manager also allows the same information to be keyed in manually into the Add Available Software Sites dialog.

There is a potential vulnerability when importing the website list using XML import.

Vulnerability Details

CVEID: CVE-2018-1727
DESCRIPTION: IBM InfoSphere Information Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/147630 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: versions 9.1, 11.3, 11.5, and 11.7
IBM InfoSphere Information Server on Cloud: versions 11.5, and 11.7

Remediation/Fixes

None

Workarounds and Mitigations

For all releases of Information Server Manager:

• Avoid using the XML import option. Instead, use the ADD button to add site and link functionality information where possible.

• If XML format has to be used for import, manually check the XML file before importing the file to determine if there is a DTD / DOCTYPE section or any other section apart from SITE tag. DTD sections are not required in XML files used with Information Server Manager, and if present, they can be safely removed before importing. IBM recommends manually checking the XML file content before importing the file. If there is a DTD / DOCTYPE section, verify its contents for any unexpected content.

Sample XML for import:

    <?xml version="1.0" encoding="UTF-8"?>
    <bookmarks>
              <site url="http://dl.microsoft.com/eclipse/tfs" selected="true" name="TFS_Microsoft"/>
    </bookmarks>

Get Notified about Future Security Bulletins

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

This vulnerability was reported to IBM by Jakub Palaczynski.

Change History

08 October 2018: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: InfoSphere Information Server

Software version: 9.1, 11.3, 11.5, 11.7

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 0718887

Modified date: 08 October 2018