1449603 – (CVE-2017-1289) CVE-2017-1289 IBM JDK: XML External Entity Injection (XXE) error when processing XML data

Bug 1449603 (CVE-2017-1289) - CVE-2017-1289 IBM JDK: XML External Entity Injection (XXE) error when processing XML data

Summary: CVE-2017-1289 IBM JDK: XML External Entity Injection (XXE) error when process...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-1289
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1438752
TreeView+	depends on / blocked

Reported:	2017-05-10 10:56 UTC by Tomas Hoger
Modified:	2019-09-29 14:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-05-10 13:46:45 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:1220	normal	SHIPPED_LIVE	Moderate: java-1.8.0-ibm security update	2017-05-10 16:44:34 UTC
Red Hat Product Errata	RHSA-2017:1221	normal	SHIPPED_LIVE	Moderate: java-1.7.1-ibm security update	2017-05-10 16:44:04 UTC
Red Hat Product Errata	RHSA-2017:1222	normal	SHIPPED_LIVE	Moderate: java-1.6.0-ibm security update	2017-05-10 16:43:49 UTC
Red Hat Product Errata	RHSA-2017:3453	normal	SHIPPED_LIVE	Important: java-1.8.0-ibm security update	2017-12-13 21:48:15 UTC

Description Tomas Hoger 2017-05-10 10:56:12 UTC

IBM JDK versions 6.0.16.45, 7.0.10.5, 7.1.4.5, and 8.0.4.5 correct a security issue described by upstream as:

CVEID: CVE-2017-1289
DESCRIPTION: IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources.
CVSS Base Score: 8.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)

References:

https://developer.ibm.com/javasdk/support/security-vulnerabilities/#IBM_Security_Update_May_2017
http://www-01.ibm.com/support/docview.wss?uid=swg22002169
https://exchange.xforce.ibmcloud.com/vulnerabilities/125150

Comment 1 errata-xmlrpc 2017-05-10 12:47:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1222 https://access.redhat.com/errata/RHSA-2017:1222

Comment 2 errata-xmlrpc 2017-05-10 12:49:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1221 https://access.redhat.com/errata/RHSA-2017:1221

Comment 3 errata-xmlrpc 2017-05-10 12:51:53 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1220 https://access.redhat.com/errata/RHSA-2017:1220

Comment 4 errata-xmlrpc 2017-12-13 16:51:51 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 5.8
  Red Hat Satellite 5.8 ELS

Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453

Note You need to log in before you can comment on or make changes to this bug.