IBM Security Bulletin: XML External Entity (XXE) injection vulnerability affects IBM Business Process Manager (CVE-2017-1527)
IBM Business Process Manager (BPM) can process XML messages, including messages from untrusted sources. Because of insufficient restriction of an XML parser, XML External Entity injection allows an authenticated remote attacker to send specially crafted XML messages and thus cause a denial of service by exhausting system resources or exfiltrate sensitive information.
CVE(s): CVE-2017-1527
Affected product(s) and affected version(s):
– IBM Business Process Manager V7.5.0.0 through V7.5.1.2
– IBM Business Process Manager V8.0.0.0 through V8.0.1.3
– IBM Business Process Manager V8.5.0.0 through V8.5.0.2
– IBM Business Process Manager V8.5.5.0
– IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2
– IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2wNT6Ck
X-Force Database: http://ift.tt/2xvyItf
The post IBM Security Bulletin: XML External Entity (XXE) injection vulnerability affects IBM Business Process Manager (CVE-2017-1527) appeared first on IBM PSIRT Blog.
from IBM Product Security Incident Response Team http://ift.tt/2wNRJDW