IBM Integration Bus and WebSphere Message Broker SOAP FLOWS are vulnerable to XML external entity attack.
CVEID: CVE-2016-9706**
DESCRIPTION:** IBM Integration Bus and WebSphere Message Broker SOAP FLOWS are vulnerable to a denial of service attack, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.
CVSS Base Score: 8.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119580 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)
IBM Integration Bus V10.0 & V9.0
WebSphere Message Broker V8.0
Product
| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus| V10| IT14799 | The APAR is available in fix pack 10.0.0.5
<http://www-01.ibm.com/support/docview.wss?uid=swg24042299>
IBM Integration Bus| V9| IT14799| The APAR is available in fix pack 9.0.0.6
<http://www-01.ibm.com/support/docview.wss?uid=swg24042598>
WebSphere Message Broker| V8| IT14799 | The APAR is available in fix pack 8.0.0.8
<http://www-01.ibm.com/support/docview.wss?uid=swg24042925>
For unsupported versions of the product, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?rs=849&uid=swg27006308
None known
CPE | Name | Operator | Version |
---|---|---|---|
ibm integration bus | eq | 10.0 | |
ibm integration bus | eq | 9.0 | |
websphere message broker | eq | 8.0 |