Security Bulletin: XML External Entity injection vulnerability in jdom may affect custom apps in IBM Business Automation Workflow - CVE-2021-33813

Summary

IBM Business Automation Workflow packages jdom. An XML External Entity (XXE) injection vulnerability was reported for jdom: Due to insecure default settings in jdom, a careless client application may fail to disable XML External Entity expansion features in the XML parser used by the library. While this is not the case in product code, the library is updated to protect custom code that might have accidentally referred to this copy of the library.

Vulnerability Details

CVEID:CVE-2021-33813
**DESCRIPTION:**JDOM is vulnerable to a denial of service, caused by an XXE issue in SAXBuilder. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to cause the a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203804 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Status

V23.0.1 - V23.0.1-IF001
V22.0.2 - V22.0.2 all fixes
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF023
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes

| affected
IBM Business Automation Workflow traditional | V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3 | affected
IBM Business Automation Workflow Enterprise Service Bus | V22.0.2, V23.0.1 | affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT225151 as soon as practical.

Workarounds and Mitigations

None