IBM Support

IT27938: VULNERABILITY FOUND DURING PENETRATION TEST

A fix is available

IBM Spectrum Control V5.2.17.4 (September 2019)

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • DETAIL OF PROBLEM:
XML External Entity (XXE) - The application is vulnerable to
XXE attack.
This can cause server to be out of service (DOS), get request
from the server (SSRF) and access local/remote files.
All this happen when the SC server working on the xml file with
configured AD/LDAP authentication

RECREATE STEPS:
When configure ldap settings, we can upload XML files.
The analyze of the XML file on the SC server does not do any
check or filter to the code written in the XML file.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* IBM Spectrum Control 5.2.x and 5.3.x users                   *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* IBM Spectrum Control is vulnerable to XML External           *
* Entity (XXE) attack.                                         *
*                                                              *
* This can cause server to be out of service (DOS), to         *
* get request from the server (SSRF) and access                *
* local/remote files.                                          *
*                                                              *
* The vulnerability in Spectrum Control can only be            *
* invoked by a Spectrum Control administrator, while           *
* logged in, by uploading a malicious XML file for             *
* configuring AD/LDAP authentication.                          *
*                                                              *
* The vulnerability is fixed in Spectrum Control               *
* versions 5.2.17.4 and 5.3.3                                  *
****************************************************************
* RECOMMENDATION:                                              *
* Apply fix maintenance when available.                        *
****************************************************************

    



Problem conclusion



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT27938
    • 

  • Reported component name
    TPC ADVANCED
    • 

  • Reported component ID
    5608TPCA0
    • 

  • Reported release
    52A
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2019-01-31
    • 

  • Closed date
    2019-09-18
    • 

  • Last modified date
    2019-09-18
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TPC ADVANCED
    • 

  • Fixed component ID
    5608TPCA0
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSNECY","label":"Tivoli Storage Productivity Center Advanced"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"52A"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            24 June 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback