IBM Security Bulletin: IBM Rational Software Architect Design Manager does not handle incoming requests containing XML in a safe manner (CVE-2018-1456, CVE-2018-1587)

Usage of XML external entities in RSA DM linktype definitions comprises a security risk including disclosure of local files. An error message displayed when parsing incorrect XML can disclose unnecessary technical details that can be potentially used to construct new attacks.

CVE(s): CVE-2018-1456, CVE-2018-1587

Affected product(s) and affected version(s):

IBM Rational Software Architect Design Manager 4.0.0 – 4.0.7
IBM Rational Software Architect Design Manager 5.0.0 – 5.0.2
IBM Rational Software Architect Design Manager 6.0.0 – 6.0.2

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg22016801
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/140091
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/143500

The post IBM Security Bulletin: IBM Rational Software Architect Design Manager does not handle incoming requests containing XML in a safe manner (CVE-2018-1456, CVE-2018-1587) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2HbEl1h