WebSphere Message Broker and IBM Integration Bus are affected by denial of service vulnerability. Pattern matching while validating a specially crafted XML document causes XML4C to consume 100% CPU
CVEID: CVE-2014-8901**
DESCRIPTION:** IBM XML4J and XML4C libraries contain a denial of service vulnerability when loading specially crafted content. This causes the CPU to consume 100% of available resources and creates serious performance degradation to the system.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99110 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)
WebSphere Message Broker V8
IBM Integration Bus V9 and V10
Product
| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus| V10| IT07064| An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=IT07064
The APAR is targeted to be available in fix pack 10.0.0.4
IBM Integration Bus| V9| IT07064| An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=IT07064
The APAR is targeted to be available in fix pack 9.0.0.6
WebSphere Message Broker
| V8
| IT07064 | An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT07064
The APAR is targeted to be available in fix pack 8.0.0.7
To mitigate the vulnerability, after an interim fix or fixpack containing IT07064 is applied you must set the following environment variable to disable the use of regular expressions by the MRM parser before starting the broker or integration node:
MQSI_DISABLE_REGEX_IN_XML4C=yes
For unsupported versions of the product IBM recommends upgrading to a fixed, supported version/release/platform of the product.
The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?uid=swg27006308
None known