High Severity

IBM Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE)

Share this post:

An XML External Entity Injection (XXE) vulnerability in InfoSphere Information Server Manager can potentially be used by an attacker to retrieve sensitive documents. Information Server Manager has a bulk import feature to help users import lists of Source Control Module (SCM) websites or user names. Use case examples for the bulk load feature are: – Multiple users want to use the SCM and there are three or more sites that need to be added. – DataStage version upgrades (i.e. version 11.3 to version 11.5) IBM Information Server Manager uses XML format for export and import of the SCM web site name and the links. Information Server Manager also allows the same information to be keyed in manually into the Add Available Software Sites dialog. There is a potential vulnerability when importing the website list using XML import.

CVE(s): CVE-2018-1727

Affected product(s) and affected version(s):

The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: versions 9.1, 11.3, 11.5, and 11.7
IBM InfoSphere Information Server on Cloud: versions 11.5, and 11.7

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10718887
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/147630

More stories

IBM Security Bulletin: Linux Kernel vulnerabilities affect IBM Spectrum Protect Plus CVE-2019-10140, CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-13233, CVE-2019-13272, CVE-2019-14283, CVE-2019-14284, CVE-2019-15090, CVE-2019-15807, CVE-2019-15925

Sep 12, 2019 9:02 am EDT | High Severity

Multiple vulnerabilities in the Linux Kernel such as denial of service, elevation of privileges, execution of arbitrary code on the system, and the ability to obtain sensitive information affect IBM Spectrum Protect Plus. UPDATED: 11 September 2019 to add CVE-2019-15925 CVE(s): CVE-2019-10140, CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-13233, CVE-2019-13272, CVE-2019-14283, CVE-2019-14284, CVE-2019-15090, CVE-2019-15807, CVE-2019-15925 Affected product(s) and ...read more


IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Collaboration and Deployment Services

Aug 30, 2019 9:01 am EDT | High Severity

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version JRE71SR4FP45 and JRE8SR5FP36 used by Collaboration and Deployment Services on AIX 64-bit pSeries platform. These issues were disclosed as part of the IBM Java SDK updates in July 2019. CVE(s): CVE-2019-4473, CVE-2019-11771 Affected product(s) and affected version(s):IBM SPSS Collaboration and Deployment Services 7.0.0.1, 8.0.0.0, 8.1.0.0, ...read more


IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-za

Aug 30, 2019 9:01 am EDT | High Severity

AT&T has released versions 1801-za for the Vyatta 5600. Details of these releases can be found at https://cloud.ibm.com/docs/infrastructure/virtual-router-appliance?topic=virtual-router-appliance-at-t-vyatta-5600-vrouter-software-patches#at-t-vyatta-5600-vrouter-software-patches CVE(s): CVE-2019-12749, CVE-2016-10228, CVE-2016-6323, CVE-2015-5180, CVE-2017-1000366, CVE-2017-16887, CVE-2017-12133, CVE-2017-15804, CVE-2017-15671, CVE-2017-15670, CVE-2018-6485, CVE-2018-1000001, CVE-2017-12132, CVE-2019-12735, CVE-2019-10161, CVE-2018-20843, CVE-2019-11884, CVE-2019-11833, CVE-2019-11815, CVE-2019-11599, CVE-2019-11486, CVE-2019-11479, CVE-2019-11478, CVE-2019-11477, CVE-2019-10126, CVE-2019-9503, CVE-2019-9500, CVE-2019-5489, CVE-2019-3846, CVE-2019-1543, CVE-2019-13132 Affected product(s) and affected version(s):VRA ...read more