Security Bulletin: XML External Entity (XXE) security vulnerability in InfoSphere Guardium (CVE-2012-3340)

Abstract

XML External Entity (XXE) security vulnerability in InfoSphere Guardium allows remote authenticated users to obtain sensitive information via unspecified vectors.

Content

VULNERABILITY DETAILS:
CVE ID: CVE-2012-3340

DESCRIPTION:
User can get to an error report containing content of a file on the server with database password.

CVSS:
CVSS Base Score: 4.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/78291&gt; for the current score
CVSS Environmental Score*: Undefined

AFFECTED PLATFORMS:
IBM InfoSphere Guardium 8.2 and earlier

REMEDIATION:
Apply the patch for password disclosure. - The patch is included within the latest GPU for each version.

As of August 24, 2012, the latest Guardium patches and GPU fixpacks for all versions are available through FixCentral.

REFERENCES:
· On-line Calculator V2
· X-Force Vulnerability Database
· CVE-2012-3312

RELATED INFORMATION:
· IBM Secure Engineering Web Portal
· IBM Product Security Incident Response Blog** **

[{“Product”:{“code”:“SSMPHH”,“label”:“IBM Security Guardium”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“–”,“Platform”:[{“code”:“PF016”,“label”:“Linux”}],“Version”:“8.2;8.0.1;8.0”,“Edition”:“”,“Line of Business”:{“code”:“LOB24”,“label”:“Security Software”}}]