IBM Support

PI25310;8.5.5,8.0.0: Potential Security Vulnerability in Communications Enabled Applications (CEA) Service

Download


Abstract

Confidential for Security Integrity ifix

Download Description

PI25310 resolves the following problem:

ERROR DESCRIPTION:
WebSphere Application Server Communications Enabled Applications (CEA) Service could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information. This only occurs if CEA is enabled. By default this is disabled.

LOCAL FIX:

PROBLEM SUMMARY:
Confidential for Security Integrity ifix.

PROBLEM CONCLUSION:
Confidential for Security Integrity ifix.

Prerequisites

None

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"V8.5.5 Readme","INLang":"US English","INSize":"2192","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI25310/8.5.5.3/readme.txt"},{"INLabel":"V8.0 Readme","INLang":"US English","INSize":"2177","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI25310/8.0.0.9/readme.txt"}]
On
[{"DNLabel":"Fix for 8.5.5.0 - 8.5.5.3","DNDate":"24 Nov 2014","DNLang":"US English","DNSize":"251415","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.0-WS-WASProd-IFPI25310&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"Fix for 8.0.0.7 - 8.0.0.9","DNDate":"24 Nov 2014","DNLang":"US English","DNSize":"249164","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.7-WS-WASProd-IFPI25310&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"SIP Container\/SIP Proxy Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF014","label":"iOS"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.3;8.5.5.2;8.5.5.1;8.5.5;8.0.0.9;8.0.0.8;8.0.0.7","Edition":"Base;Network Deployment","Line of Business":{"code":"LOB15","label":"Integration"}}]

Document Information

Modified date:
15 June 2018

UID

swg24038968