Vulnerability CVE-2014-6212 - CERT Civis.Net

Vulnerability Name:

CVE-2014-6212 (CCN-98689)

Assigned:

2014-12-30

Published:

2014-12-30

Updated:

2017-09-08

Summary:

The Echo API in IBM Emptoris Contract Management 9.5.x before 9.5.0.6 iFix11, 10.0.0.x before 10.0.0.1 iFix12, 10.0.1.x before 10.0.1.5 iFix2, and 10.0.2.x before 10.0.2.2 iFix5; Emptoris Sourcing 9.5 before 9.5.1.3 iFix2, 10.0.0.x before 10.0.0.1 iFix1, 10.0.1.x before 10.0.1.3 iFix1, and 10.0.2.x before 10.0.2.5; and Emptoris Program Management (aka PGM) and Strategic Supply Management (aka SSMP) 10.0.0.x before 10.0.0.3 iFix6, 10.0.1.x before 10.0.1.4 iFix1, and 10.0.2.x before 10.0.2.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

CVSS v3 Severity:

2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

3.5 Low (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N)
2.6 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2014-6212

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21693069

Source: CCN
Type: IBM Security Bulletin 1693069
Multiple vulnerabilities related to XML DoS attack IBM Emptoris Strategic Supply Management Suite products (CVE-2014-3529, CVE-2014-3574)

Source: CCN
Type: IBM Security Bulletin 1694232
Multiple vulnerabilities related to XML DoS attack in IBM Emptoris Rivermine Telecom Expense Management product (CVE-2014-3529, CVE-2014-6212, CVE-2014-3574)

Source: CCN
Type: BID-72026
Multiple IBM Products CVE-2014-6212 XML External Entity Information Disclosure Vulnerability

Source: XF
Type: UNKNOWN
ibm-emptoris-cve20146212-info-disc(98689)

Source: XF
Type: UNKNOWN
ibm-emptoris-cve20146212-xxe(98689)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:emptoris_sourcing_portfolio:9.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:9.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:9.5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:9.5.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:9.5.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:9.5.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:9.5.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:10.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:10.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:10.0.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:10.0.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:10.0.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:10.0.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:10.0.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:10.0.2.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:10.0.2.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_sourcing_portfolio:10.0.2.4:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:ibm:emptoris_program_management:10.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.1.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.2.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.2.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_program_management:10.0.2.4:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:ibm:emptoris_contract_management:9.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:9.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:9.5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:9.5.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:9.5.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:9.5.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:9.5.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:10.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:10.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:10.0.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:10.0.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:10.0.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:10.0.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:10.0.1.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:10.0.1.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:10.0.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:10.0.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:10.0.2.2:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:ibm:emptoris:strategic_supply_management:10.0.0.0:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.0.1:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.0.2:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.0.3:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.1.0:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.1.1:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.1.2:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.1.3:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.1.4:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.2.0:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.2.1:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.2.2:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.2.3:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris:strategic_supply_management:10.0.2.4:*:*:*:*:*:*

Denotes that component is vulnerable