Systems Affected
- SNEM 6.1.0 contains SNEM-C 6.1.1.4
- SNEM 6.1.0 contains SNEM-C 6.1.2.2
- SNEM 6.1.0 contains SNEM-C 6.1.3.4
Threat Level
Overview
IBM System Networking Element Manager ships with IBM Java 7 JRE. This JRE contains a variant of Apache-J XML parser (XM4J) that is vulnerable to a denial of service attack triggered by malformed XML data.
Description
The Apache Xerces-J XML parser is vulnerable to a denial of service attack, triggered by malformed XML data. The malformed data causes the XML parser to consume CPU resource for several minutes before the data is eventually rejected. This behavior can be used to launch a denial of service attack against IBM System Networking Element Manager, which uses IBM Java 7. IBM Java 7 contains a variant of the Apache Xerces-J XML parser (XML4J) to process XML data supplied by remote users. XML data is only processed by one of the applications bundled in IBM System Networking Element Manager virtual machine (VM). The System Network Element Manager Component application (SNEM-C) processes XML data via a REST API that is used for management of information in the VSI DB (HTTPs POST and PUT commands). The IBM Tivoli applications that are bundled with System Networking Element Manager VM are NOT affected by this vulnerability
Impact
Solution/ Workarounds
✻ Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.
References
http://www-01.ibm.com/support/docview.wss?uid=isg3T1019958
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
|