Security Bulletin: IBM InfoSphere Information Governance Catalog is vulnerable to XXE Injection Attack (CVE-2016-0250)

Summary

IBM InfoSphere Information Governance Catalog could allow a remote authenticated attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. A remote attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service.

Vulnerability Details

CVEID: CVE-2016-0250 DESCRIPTION: IBM InfoSphere Information Governance Catalog could allow a remote authenticated attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. A remote attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110510 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

The following product, running on all supported platforms, is affected:
IBM InfoSphere Information Governance Catalog: versions 11.3 and 11.5

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
InfoSphere Information Governance Catalog| 11.5| JR55283| --Apply IBM InfoSphere Information Server version 11.5.0.1
--Apply IBM InfoSphere Information Governance Catalog Security patch
InfoSphere Information Governance Catalog| 11.3| JR55283| --Apply IBM InfoSphere Information Server version _11.3.1.2 _
--Apply IBM InfoSphere Information Governance Catalog Security patch

Note: The same fix may be listed under multiple vulnerabilities. Installing the fix addresses all vulnerabilities to which the fix applies. Also, some fixes require installing both a fix pack and a subsequent patch. While the fix pack must be installed first, any additional patches required may be installed in any order.

Workarounds and Mitigations

None