XML External Entity Information Disclosure Vulnerability in IBM WebSphere

Systems Affected

Threat Level

Overview

An Information Disclosure Vulnerability has been reported in IBM WebSphere which could allow a remote attacker to gain sensitive information by executing specially-crafted XML data

Description

Insufficient input validation exists in callService.do when processing URL parameters in XML entity as service inputs.

A remote attacker could exploit this issue by triggering XML External Entity (XXE) error (service failure error) while processing XML data to obtain sensitive information on the target system .

Impact

Solution/ Workarounds

Apply appropriate patches as mentioned in the IBM Security Bulletin

http://www-01.ibm.com/support/docview.wss?uid=swg1JR50616

References

http://www.cert-in.org.in/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.