Vulnerability CVE-2017-1758 - CERT Civis.Net

Vulnerability Name:

CVE-2017-1758 (CCN-135859)

Assigned:

2016-11-30

Published:

2018-02-19

Updated:

2018-03-12

Summary:

IBM Financial Transaction Manager for ACH Services for Multi-Platform (IBM Control Center 6.0 and 6.1, IBM Financial Transaction Manager 3.0.2, 3.0.3, 3.0.4, and 3.1.0, IBM Transformation Extender Advanced 9.0) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 135859.

CVSS v3 Severity:

7.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
6.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): Low

7.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
6.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2017-1758

Source: CCN
Type: IBM Security Bulletin 2012828 (Financial Transaction Manager)
Financial Transaction Manager for ACH Services and Corporate Payment Services has a potential XML External Entity vulnerability (CVE-2017-1758)

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=swg22012828

Source: CCN
Type: IBM Security Bulletin 2013375 (Control Center)
10x Vulnerability in IBM Control Center Could Allow Potential XML External Entity (XXE) Injection

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=swg22013375

Source: CCN
Type: IBM Security Bulletin 2013432 (Transformation Extender Advanced)
IBM Transformation Extender Advanced is Potentially Vulnerable to an XML External Entity (XXE) Injection in its REST API.

Source: CONFIRM
Type: Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=swg22013432

Source: CCN
Type: IBM Security Bulletin 2014656 (B2B Advanced Communications)
IBM B2B Advanced Communications is Affected by an XML External Entity Injection (XXE) Attack when Processing XML Data

Source: BID
Type: Third Party Advisory, VDB Entry
103130

Source: CCN
Type: BID-103130
Multiple IBM Products CVE-2017-1758 XML External Entity Injection Vulnerability

Source: MISC
Type: VDB Entry, Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/135859

Source: XF
Type: UNKNOWN
ibm-ftm-cve20171758-info-disc(135859)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:financial_transaction_manager:3.0.2.0:*:*:*:*:ach_services:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.0.2.0:*:*:*:*:cps_services:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.0.2.1:*:*:*:*:ach_services:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.0.3.0:*:*:*:*:ach_services:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.0.4.0:*:*:*:*:ach_services:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.1.0.0:*:*:*:*:ach_services:*:*

Configuration 2:

cpe:/a:ibm:transformation_extender:9.0:*:advanced:*:*:*:*:*

Configuration 3:

cpe:/a:ibm:control_center:6.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:control_center:6.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:control_center:6.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:control_center:6.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:control_center:6.1.1.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:control_center:6.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:transformation_extender:9.0:*:advanced:*:*:*:*:*

OR cpe:/a:ibm:control_center:6.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.0.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.0.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.0.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:control_center:6.1.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.0.4.0::~~~cps_services~~:*:*:*:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.0.4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.0.3.0:*:*:*:*:ach_services:*:*

OR cpe:/a:ibm:financial_transaction_manager:3.0.3.0:*:*:*:*:ach_services:*:*

AND

cpe:/a:ibm:b2b_advanced_communications:1.0.0.1:*:*:*:*:*:*:*

Denotes that component is vulnerable