JR56569: INFORMATION SERVER IS VULNERABLE TO XML EXTERNAL ENTITY INJECTION (XXE)

Download ISF roll-up 5 for InfoSphere Information Server Version 11.5.0.1
Download ISF roll-up 6 for InfoSphere Information Server Version 11.5.0.1
Download ISF roll-up 8 for InfoSphere Information Server Version 11.3.1.2
Download ISF roll-up 4 for InfoSphere Information Server Version 11.5.0.1
Download ISF roll-up 6 for InfoSphere Information Server Version 11.3.1.2
Download ISF roll-up 7 for InfoSphere Information Server Version 11.3.1.2

APAR status

• Closed as program error.

Error description

• An XML External Entity Injection (XXE) vulnerability in
  InfoSphere Information Server can be used by an attacker to
  retrieve local resources, list directories, and retrieve
  sensitive documents such as configuration files.
  

Local fix

Problem summary

• ****************************************************************
  USERS AFFECTED:
  Users of Information Server
  ****************************************************************
  PROBLEM DESCRIPTION:
  An XML External Entity Injection (XXE) vulnerability in
  InfoSphere Information Server can be used by an attacker to
  retrieve local resources, list directories, and retrieve
  sensitive documents such as configuration files. (CVE-2016-6059)
  ****************************************************************
  RECOMMENDATION:
  Refer to Security bulletin
  http://www.ibm.com/support/docview.wss?uid=swg21991683 for
  actions to perform.
  ****************************************************************
  

Problem conclusion

• Fix coded
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  INFO SRVR PLATF

• Fixed component ID

  5724Q3612

Applicable component levels

• RB31 PSY

     UP

• RB50 PSY

     UP