Bug 1449603 (CVE-2017-1289) - CVE-2017-1289 IBM JDK: XML External Entity Injection (XXE) error when processing XML data
Summary: CVE-2017-1289 IBM JDK: XML External Entity Injection (XXE) error when process...
Status: CLOSED ERRATA
Alias: CVE-2017-1289
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170509,repor...
Keywords: Security
Depends On:
Blocks: 1438752
TreeView+ depends on / blocked
 
Reported: 2017-05-10 10:56 UTC by Tomas Hoger
Modified: 2018-08-01 17:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-10 13:46:45 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1220 normal SHIPPED_LIVE Moderate: java-1.8.0-ibm security update 2017-05-10 16:44:34 UTC
Red Hat Product Errata RHSA-2017:1221 normal SHIPPED_LIVE Moderate: java-1.7.1-ibm security update 2017-05-10 16:44:04 UTC
Red Hat Product Errata RHSA-2017:1222 normal SHIPPED_LIVE Moderate: java-1.6.0-ibm security update 2017-05-10 16:43:49 UTC
Red Hat Product Errata RHSA-2017:3453 normal SHIPPED_LIVE Important: java-1.8.0-ibm security update 2017-12-13 21:48:15 UTC

Description Tomas Hoger 2017-05-10 10:56:12 UTC
IBM JDK versions 6.0.16.45, 7.0.10.5, 7.1.4.5, and 8.0.4.5 correct a security issue described by upstream as:

CVEID: CVE-2017-1289
DESCRIPTION: IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources.
CVSS Base Score: 8.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)

References:

https://developer.ibm.com/javasdk/support/security-vulnerabilities/#IBM_Security_Update_May_2017
http://www-01.ibm.com/support/docview.wss?uid=swg22002169
https://exchange.xforce.ibmcloud.com/vulnerabilities/125150

Comment 1 errata-xmlrpc 2017-05-10 12:47:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1222 https://access.redhat.com/errata/RHSA-2017:1222

Comment 2 errata-xmlrpc 2017-05-10 12:49:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1221 https://access.redhat.com/errata/RHSA-2017:1221

Comment 3 errata-xmlrpc 2017-05-10 12:51:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1220 https://access.redhat.com/errata/RHSA-2017:1220

Comment 4 errata-xmlrpc 2017-12-13 16:51:51 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8
  Red Hat Satellite 5.8 ELS

Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453


Note You need to log in before you can comment on or make changes to this bug.