ASA-2019-00252 – IBM Planning Analytics: Apache Derby XML External Entity (XXE) information disclosure

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00252

Identifier(s)

ASA-2019-00252, CVE-2015-1832

Title

Apache Derby XML External Entity (XXE) information disclosure

Vendor(s)

IBM

Product(s)

IBM Planning Analytics

Affected version(s)

IBM Planning Analytics versions 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5 and 2.0.6

Fixed version(s)

IBM Planning Analytics version 2.0.7

Proof of concept

Unknown

Description

Apache Derby could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML datatype and XmlVTI. An attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service.

Technical details

Unknown

Credits

Unknown

Reference(s)

Security Bulletin: Multiple vulnerabilities affect IBM Planning Analytics
https://www-01.ibm.com/support/docview.wss?uid=ibm10879407

Apache Derby XXE information disclosure
https://exchange.xforce.ibmcloud.com/vulnerabilities/115625

CVE-2015-1832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832

CVE-2015-1832
https://nvd.nist.gov/vuln/detail/CVE-2015-1832

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: May 3, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.