Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Vulnerability IBM Java XML Parser Used in IBM System Networking Element Manager

 

Systems Affected


  • SNEM 6.1.0 contains SNEM-C 6.1.1.4
  • SNEM 6.1.0 contains SNEM-C 6.1.2.2
  • SNEM 6.1.0 contains SNEM-C 6.1.3.4

Threat Level

Overview


IBM System Networking Element Manager ships with IBM Java 7 JRE. This JRE contains a variant of Apache-J XML parser (XM4J) that is vulnerable to a denial of service attack triggered by malformed XML data.


Description


The Apache Xerces-J XML parser is vulnerable to a denial of service attack, triggered by malformed XML data. The malformed data causes the XML parser to consume CPU resource for several minutes before the data is eventually rejected. This behavior can be used to launch a denial of service attack against IBM System Networking Element Manager, which uses IBM Java 7. IBM Java 7 contains a variant of the Apache Xerces-J XML parser (XML4J) to process XML data supplied by remote users. XML data is only processed by one of the applications bundled in IBM System Networking Element Manager virtual machine (VM). The System Network Element Manager Component application (SNEM-C) processes XML data via a REST API that is used for management of information in the VSI DB (HTTPs POST and PUT commands). The IBM Tivoli applications that are bundled with System Networking Element Manager VM are NOT affected by this vulnerability


Impact



Solution/ Workarounds


IBM recommends upgrading affected versions of IBM Systems Networking Element Manager. The upgrade is available as an install package on IBM Fix Central.


  • SNEM 6.1.0: Upgrade the SNEM VM with SNEM-C 6.1.1.5 using Fix Pack "snem_fixpack_6.1.0.tar.gz"
  • SNEM 6.1.1: Upgrade the SNEM VM with SNEM-C 6.1.2.50 using Fix Pack "snem_fixpack_6.1.1.tar.gz"
  • SNEM 6.1.2: Upgrade the SNEM VM with SNEM-C 6.1.3.5 using Fix Pack "snem_fixpack_6.1.2.tar.gz"


References


http://www-01.ibm.com/support/docview.wss?uid=isg3T1019958


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.