Security Bulletin: IBM Integration Bus and WebSphere Message Broker SOAP FLOWS are vulnerable to XML external entity attack (CVE-2016-9706)

Summary

IBM Integration Bus and WebSphere Message Broker SOAP FLOWS are vulnerable to XML external entity attack.

Vulnerability Details

CVEID: CVE-2016-9706**
DESCRIPTION:** IBM Integration Bus and WebSphere Message Broker SOAP FLOWS are vulnerable to a denial of service attack, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.
CVSS Base Score: 8.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119580 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

IBM Integration Bus V10.0 & V9.0

WebSphere Message Broker V8.0

Remediation/Fixes

Product

| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus| V10| IT14799 | The APAR is available in fix pack 10.0.0.5

<http://www-01.ibm.com/support/docview.wss?uid=swg24042299&gt;

IBM Integration Bus| V9| IT14799| The APAR is available in fix pack 9.0.0.6

<http://www-01.ibm.com/support/docview.wss?uid=swg24042598&gt;

WebSphere Message Broker| V8| IT14799 | The APAR is available in fix pack 8.0.0.8

<http://www-01.ibm.com/support/docview.wss?uid=swg24042925&gt;

For unsupported versions of the product, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :

http://www.ibm.com/support/docview.wss?rs=849&uid=swg27006308

Workarounds and Mitigations

None known