Security Bulletin
Summary
An XML External Entity Injection (XXE) vulnerability in InfoSphere Information Server Manager can potentially be used by an attacker to retrieve sensitive documents.
Information Server Manager has a bulk import feature to help users import lists of Source Control Module (SCM) websites or user names.
Use case examples for the bulk load feature are:
- Multiple users want to use the SCM and there are three or more sites that need to be added.
- DataStage version upgrades (i.e. version 11.3 to version 11.5)
IBM Information Server Manager uses XML format for export and import of the SCM web site name and the links. Information Server Manager also allows the same information to be keyed in manually into the Add Available Software Sites dialog.
There is a potential vulnerability when importing the website list using XML import.
Vulnerability Details
CVEID: CVE-2018-1727
DESCRIPTION: IBM InfoSphere Information Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/147630 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
Affected Products and Versions
The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: versions 9.1, 11.3, 11.5, and 11.7
IBM InfoSphere Information Server on Cloud: versions 11.5, and 11.7
Remediation/Fixes
None
Workarounds and Mitigations
For all releases of Information Server Manager:
• Avoid using the XML import option. Instead, use the ADD button to add site and link functionality information where possible.
• If XML format has to be used for import, manually check the XML file before importing the file to determine if there is a DTD / DOCTYPE section or any other section apart from SITE tag. DTD sections are not required in XML files used with Information Server Manager, and if present, they can be safely removed before importing. IBM recommends manually checking the XML file content before importing the file. If there is a DTD / DOCTYPE section, verify its contents for any unexpected content.
Sample XML for import:
<?xml version="1.0" encoding="UTF-8"?>
<bookmarks>
<site url="http://dl.microsoft.com/eclipse/tfs" selected="true" name="TFS_Microsoft"/>
</bookmarks>
• In Information Server installations where Information Server Manager (ISM) or its features were not used previously, deleting the folder <IIS_HOME>\Clients\istools\manager (for example, C:\IBM\InformationServer\Clients\istools\manager) on the client tier can resolve the vulnerability.
Removing the Information Server Manager (ISM) executable located in this folder does not impact the use of command-line utilities such as istools, which will continue to function normally even without the ISM folder.
Note that there are no ISM related components installed on the Services or Engine tiers. Hence, no action is required on those tiers.
Get Notified about Future Security Bulletins
References
Acknowledgement
This vulnerability was reported to IBM by Jakub Palaczynski.
Change History
08 October 2018: Original version published
12 November 2025: Additional mitigation by removal of Information Server Manager folder
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
PSIRT 118654
Was this topic helpful?
Document Information
Modified date:
12 November 2025
UID
ibm10718887