IBM Security Bulletin: Vulnerability in Rational Rhapsody Design Manager with potential for Denial of Service attack

IBM Rhapsody Design Manager is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data.

CVE(s): CVE-2016-8974, CVE-2015-7485

Affected product(s) and affected version(s):

Rational Rhapsody Design Manager 4.0 – 4.0.7
Rational Rhapsody Design Manager 5.0 – 5.0.2
Rational Rhapsody Design Manager 6.0 – 6.0.2

Design Manager 6.0.3 is not affected.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2lnSVIM
X-Force Database: http://ift.tt/2kSLfBn
X-Force Database: http://ift.tt/1U5JqtV

from IBM Product Security Incident Response Team http://ift.tt/2kSIyQ9