IBM Operational Decision Manager has addressed the vulnerability CVE-2018-1821
CVEID:CVE-2018-1821
**DESCRIPTION:*IBM Operational Decision Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/150170 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
Select the following interim fix to upgrade your installation of ODM based on your version of the product:
Interim fix for APAR RS03231 and RS03192 is available from IBM Fix Central:
IBM Operational Decision Manager v8.6: **8.6.0.3-WS-ODM_DS-**IF035
IBM Operational Decision Manager v8.7: **8.7.1.2-WS-ODM_DS-**IF079
IBM Operational Decision Manager v8.8: **8.8.1.3-WS-ODM_DS-**IF090
IBM Operational Decision Manager v8.9: **8.9.2.1-WS-ODM_DS-**IF004
For IBM WebSphere Operational Decision Management v7.1, v7.5, v8.0, v8.5 IBM recommends upgrading to a fixed supported version.
For v8.6 and v8.7 a context parameter has been added to HTDS Application descriptor to prevent vulnerability in the validation feature with JDK 1.6:
Edit the web.xml in the HTDS WAR file to change the property DisableInsecureXMLValidation as needed
<!-- Specify whether XML validation of requests is enabled for Java versions lower than 1.7.0
Possible values are : true, false
true : XML validation is disabled when Java version is before 1.7.0
false : XML validation is enabled, for all Java versions
-->
<context-param>
<param-name>DisableInsecureXMLValidation</param-name>
<param-value>false</param-value>
</context-param>