Security Bulletin
Summary
Open Source Xerces-C XML parser vulnerability affects IBM InfoSphere Information Server.
Vulnerability Details
CVEID: CVE-2016-0729
DESCRIPTION: Apache Xerces-C XML Parser library is vulnerable to a denial of service, caused by improper bounds checking during processing and error reporting. By sending specially crafted input documents, an attacker could exploit this vulnerability to cause the library to crash or possibly execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111028 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server Connectivity components, DataStage (XML input, output, and transformer stages), Information Analyzer, Quality Stage, and Information Server Pack for Data Masking: versions 8.5, 8.7, 9.1, 11.3, and 11.5
IBM InfoSphere Information Server on Cloud: version 11.5
Remediation/Fixes
|
Product | VRMF | APAR | Remediation/First Fix |
| IBM InfoSphere Information Server Connectivity components, DataStage (XML input, output, transformer stages), Information Analyzer, Quality Stage, and Information Server Data Masking Stage, Information Server on Cloud | 11.5 | JR56155 | --Apply IBM InfoSphere Connectivity Security patch --Users of the InfoSphere Information Server Data Masking Stage should
--Re-generate the license files as follows: 1. Add the directory containing Optim Data Privacy Providers binary files (ODPP installation directory) to the Library path environment variable: On Windows, add the directory to PATH On Linux, add the directory to LD_LIBRARY_PATH On AIX, add the directory to LIBPATH 2. Run the ODPPLic program from the ODPPinstallation/bin directory. For example on windows: C:\IBM\InformationServer\Server\odpp\win\bin\ODPPLicp.exe OPTDIST ID=xxxx KEY=xxxxxxxx For more information, see the Optim Data Privacy Providers users guide. |
| IBM InfoSphere Information Server Connectivity components, DataStage (XML input, output, transformer stages), Information Analyzer, Quality Stage, and Information Server Pack for Data Masking | 11.3 | JR56155 | --Apply IBM InfoSphere Connectivity Security patch --Users of the InfoSphere Information Server Pack for Data Masking should apply IBM InfoSphere Optim Data Privacy Providers version 9.1 Fix Pack 6 with interim fix OMOD-09.01.00-011, as per the following installation instructions. |
| IBM InfoSphere Information Server Connectivity components, DataStage (XML input, output, transformer stages), Information Analyzer, Quality Stage, and Information Server Pack for Data Masking | 9.1 | JR56155 | --Apply IBM InfoSphere Connectivity Security patch
|
| IBM InfoSphere Information Server Connectivity components, DataStage (XML input, output, transformer stages), Information Analyzer, Quality Stage, and Information Server Pack for Data Masking | 8.7 | JR56155 | --Apply IBM InfoSphere Connectivity Security patch --Users of the InfoSphere Information Server Pack for Data Masking should contact IBM Customer Support |
| IBM InfoSphere Information Server Connectivity components, DataStage (XML input, output, transformer stages), Information Analyzer, Quality Stage, and Information Server Pack for Data Masking | 8.5 | JR56155 | Contact IBM Customer Support |
For IBM InfoSphere Information Server version 8.5 and 8.7 IBM recommends upgrading to a fixed, supported version/release/platform of the product.
Contact Technical Support:
In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with Information Server Technical Support.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
24 August 2016: Original version published
09 December 2016: Updated fix for versions 8.7 and 9.1
04 January 2017: Updated fix list
05 January 2017: Updated to remove 04-Jan update
24 January 2017: Updated with complete fix for versions 9.1, 11.3 and 11.5
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
PSIRT 77170
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21988931