IBM Support

IT19755: SECURITY VULNERABILITY - XML ENTITY EXPANSION (BILLION LAUGHS ATTACKS> LEADS TO DENIAL OF SERVICE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Security Vulnerability - XML Entity Expansion (Billion Laughs
    Attack) leads to Denial of Service.
    
    The IBM Sterling Filegateway application is configured to
    process recursively defined XML entities, which may lead to a
    denial of service condition if a sufficiently large set of
    recursive entity references is defined in the XML request.
    

Local fix

  • None
    
    STRRTC 530673
    KK/KK
    

Problem summary

  • Users Affected:
    All
    
    Problem Description:
    Security Vulnerability - XML entity expansion (billion laughs
    attack) leads to denial of service.
    
    Platforms Affected:
    All
    

Problem conclusion

  • Resolution Summary:
    A code fix is provided.
    
    Delivered In:
    5020602_4
    5020603_2
    6000001
    5020604_1
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT19755

  • Reported component name

    STR B2B INTEGRA

  • Reported component ID

    5725D0600

  • Reported release

    526

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-03-17

  • Closed date

    2017-05-12

  • Last modified date

    2019-03-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR B2B INTEGRA

  • Fixed component ID

    5725D0600

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
29 March 2019