IBM5204F61908DDF3954D297EF5E1B3D1A4DFAB80D24A5A8F98EDA506B81A0155E9Security Bulletin: Vulnerability in Castor library affects IBM Cúram(CVE-2014-3004)
EPSS
Percentile
87.6%
Summary
IBM Cúram is shipped with a third party library called Castor, which is vulnerable to an XML External Entity Injection (XXE) error.
Vulnerability Details
CVEID: CVE-2014-3004**
DESCRIPTION:** Castor Library could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93519 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM Cúram Social Program Management 4.5
IBM Cúram Social Program Management 5.2
IBM Cúram Social Program Management 6.0.3
IBM Cúram Social Program Management 6.0.4
IBM Cúram Social Program Management 6.0.5
IBM Cúram Social Program Management 6.0. SP2
IBM Cúram Social Program Management 6.0.5.5a
Remediation/Fixes
Product
| VRMF| Remediation/First Fix
—|—|—
Cúram SPM| 4.5| See Workaround
Cúram SPM| 5.2| See Workaround
Cúram SPM| 6.0.3| See Workaround
Cúram SPM| 6.0.4| See Workaround
Cúram SPM| 6.0.5| See Workaround or visit IBM Fix Central and upgrade to 6.0.5.8 or a subsequent 6.0.5 release
Cúram SPM| 6.0. SP2| See Workaround
Cúram SPM| 6.0.5.5a| Visit IBM Fix Central and upgrade to 6.0.5.8 or a subsequent 6.0.5 release
Workarounds and Mitigations
It is important to note that normal users cannot exploit this vulnerability. Only a developer or an administrator could actually include malicious content to exploit this.
In order to mitigate against this vulnerability, make the following changes in the “castor.properties” file shipped in the castor.jar file in the CuramSDEJ/lib directory.
The settings can be applied to XML parsers that turn off the feature that converts External XML Entities reference (the root vulnerability in XXE attacks). In Castor these settings have been added to the root configuration file (castor.properties). The following are the settings that are required:
======================================================================
Comma separated list of SAX 2 features that should be enabled
for the default parser.
org.exolab.castor.sax.features=_
_http://apache.org/xml/features/disallow-doctype-decl
Comma separated list of SAX 2 features that should be disabled
for the default parser.
org.exolab.castor.sax.features-to-disable=_
_[http://xml.org/sax/features/external-general-entities,\](<http://ibm.com/>)
[http://xml.org/sax/features/external-parameter-entities,\](<http://ibm.com/>)
http://apache.org/xml/features/nonvalidating/load-external-dtd
==============================================
Related
EPSS
Percentile
87.6%