CVE-2017-1289

IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150.

Weakness

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Affected Software

Name	Vendor	Start Version	End Version
Sdk	Ibm	*	6 (including)
Sdk	Ibm	*	6r1 (including)
Sdk	Ibm	*	7 (including)
Sdk	Ibm	*	7r1 (including)
Sdk	Ibm	*	8 (including)
Red Hat Enterprise Linux 6 Supplementary	RedHat	java-1.8.0-ibm-1:1.8.0.4.5-1jpp.1.el6_9	*
Red Hat Enterprise Linux 6 Supplementary	RedHat	java-1.7.1-ibm-1:1.7.1.4.5-1jpp.2.el6_9	*
Red Hat Enterprise Linux 6 Supplementary	RedHat	java-1.6.0-ibm-1:1.6.0.16.45-1jpp.1.el6_9	*
Red Hat Enterprise Linux 7 Supplementary	RedHat	java-1.8.0-ibm-1:1.8.0.4.5-1jpp.1.el7_3	*
Red Hat Enterprise Linux 7 Supplementary	RedHat	java-1.7.1-ibm-1:1.7.1.4.5-1jpp.1.el7_3	*
Red Hat Satellite 5.8	RedHat	java-1.8.0-ibm-1:1.8.0.5.5-1jpp.1.el6_9	*
Red Hat Satellite 5.8 ELS	RedHat	java-1.8.0-ibm-1:1.8.0.5.5-1jpp.1.el6_9	*
Ibm-java80	Ubuntu	bionic	*
Ibm-java80	Ubuntu	upstream	*
Ibm-java80	Ubuntu	xenial	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/221.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2017-1289
CWE	https://cwe.mitre.org/data/definitions/611.html

Improper Restriction of XML External Entity Reference

Weakness

Affected Software

Potential Mitigations

References

CVE-2017-1289

Improper Restriction of XML External Entity Reference

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References