IBM Support

webMethods Knowlegebase : XXE (XML eXternal Entities) vulnerability (1790796)

Troubleshooting


Problem

A possible XXE (XML eXternal Entities) attack via the Edit Page portlet in My webMethods Server 9.7. The vulnerability allows to insert malicious XML and perform various attacks such as:

1. Billion laughs attack(https://en.wikipedia.org/wiki/Billion_laughs_attack)

2. Sending HTTP requests to remote sites

3. Executing bash scripts code at the machine where the webMethods runs and reading file contents of the files from remote server.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSVYEV","label":"IBM webMethods Integration"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"My webMethods Server (MWS)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Windows Server 2012"}],"Version":"9.7"},{"Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSAWP1J","label":"IBM webMethods BPM"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"My webMethods Server (MWS)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Windows Server 2012"}],"Version":"9.7"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFIWYE","label":"IBM webMethods B2B"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"My webMethods Server (MWS)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Windows Server 2012"}],"Version":"9.7"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSQG2X","label":"IBM webMethods Managed File Transfer"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"My webMethods Server (MWS)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Windows Server 2012"}],"Version":"9.7"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
20 March 2025

UID

ibm17215564

Page Feedback