CVE-2014-3087: Infoleak
First published: Sun Aug 17 2014(Updated: )
callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Credit: psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Business Process Manager | =7.5.0.0 | |
| IBM Business Process Manager | =7.5.0.1 | |
| IBM Business Process Manager | =7.5.1.0 | |
| IBM Business Process Manager | =7.5.1.1 | |
| IBM Business Process Manager | =7.5.1.2 | |
| IBM Business Process Manager | =8.0.0.0 | |
| IBM Business Process Manager | =8.0.1.0 | |
| IBM Business Process Manager | =8.0.1.1 | |
| IBM Business Process Manager | =8.0.1.2 | |
| IBM Business Process Manager | =8.5.0.0 | |
| IBM Business Process Manager | =8.5.0.1 | |
| IBM Business Process Manager | =8.5.5.0 | |
| IBM WebSphere Application Server Feature Pack for Web Services | =7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://secunia.com/advisories/60752
- http://secunia.com/advisories/60755
- http://secunia.com/advisories/60757
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR50616
- http://www-01.ibm.com/support/docview.wss?uid=swg21679726
- http://www.securityfocus.com/bid/69264
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94112
Frequently Asked Questions
What is the severity of CVE-2014-3087?
CVE-2014-3087 has a severity rating that varies based on the specific deployment, but it is generally considered as high due to the ability of authenticated users to exploit the vulnerability.
How do I fix CVE-2014-3087?
To fix CVE-2014-3087, IBM recommends updating to the latest version of the Business Process Manager or applying the appropriate security patches provided for affected versions.
Who is affected by CVE-2014-3087?
CVE-2014-3087 affects users of IBM Business Process Manager versions 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5.
What type of vulnerability is CVE-2014-3087?
CVE-2014-3087 is an XML External Entity (XXE) vulnerability that allows for arbitrary file reading.
Can CVE-2014-3087 be exploited remotely?
Yes, CVE-2014-3087 can be exploited remotely by authenticated users, enabling them to read arbitrary files on the server.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/remedy
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- vendor/ibm
- canonical/ibm business process manager
- version/ibm business process manager/7.5.0.0
- version/ibm business process manager/7.5.0.1
- version/ibm business process manager/7.5.1.0
- version/ibm business process manager/7.5.1.1
- version/ibm business process manager/7.5.1.2
- version/ibm business process manager/8.0.0.0
- version/ibm business process manager/8.0.1.0
- version/ibm business process manager/8.0.1.1
- version/ibm business process manager/8.0.1.2
- version/ibm business process manager/8.5.0.0
- version/ibm business process manager/8.5.0.1
- version/ibm business process manager/8.5.5.0
- canonical/ibm websphere application server feature pack for web services
- version/ibm websphere application server feature pack for web services/7.2