製品・ソフトウェアに関する情報

JVN脆弱性詳細

IBM Business Process Manager および WebSphere Lombardi Edition の callService.do における任意のファイルを読まれる脆弱性

Title	IBM Business Process Manager および WebSphere Lombardi Edition の callService.do における任意のファイルを読まれる脆弱性
Summary	IBM Business Process Manager (BPM) および WebSphere Lombardi Edition の callService.do には、任意のファイルを読まれる脆弱性が存在します。本件は、XML 外部エンティティ (XXE) の問題に関する脆弱性です。
Possible impacts	リモート認証されたユーザにより、エンティティ参照に関連する XML 外部エンティティ宣言を介して、任意のファイルを読まれる脆弱性が存在します。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 15, 2014, midnight
Registration Date	Aug. 19, 2014, 2:28 p.m.
Last Update	Aug. 19, 2014, 2:28 p.m.

Affected System

IBM

IBM Business Process Manager 7.5 から 8.5.5

IBM WebSphere Lombardi Edition 7.2 から 7.2.0.5

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-3087	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3087
National Vulnerability Database (NVD)
2	CVE-2014-3087	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3087

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
IBM APAR
1	JR50616	http://www-01.ibm.com/support/docview.wss?uid=swg1JR50616
IBM Support Document
2	1679726	http://www-01.ibm.com/support/docview.wss?uid=swg21679726

その他

No	Name	URL
関連文書
1	ibm-websphere-cve20143087-info-disc (94112)	http://xforce.iss.net/xforce/xfdb/94112

Change Log

No	Changed Details	Date of change
0	[2014年08月19日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2014-3087

Summary	callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Publication Date	Aug. 18, 2014, 8:55 a.m.
Registration Date	Jan. 26, 2021, 3:09 p.m.
Last Update	Nov. 21, 2024, 11:07 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ibm:websphere_application_server:7.2::lombardi:::::
cpe:2.3:a:ibm:business_process_manager:8.5.0.0:::::::*
cpe:2.3:a:ibm:business_process_manager:7.5.0.0:::::::*
cpe:2.3:a:ibm:business_process_manager:8.0.1.0:::::::*
cpe:2.3:a:ibm:business_process_manager:8.0.1.1:::::::*
cpe:2.3:a:ibm:business_process_manager:8.5.5.0:::::::*
cpe:2.3:a:ibm:business_process_manager:7.5.1.2:::::::*
cpe:2.3:a:ibm:business_process_manager:7.5.1.1:::::::*
cpe:2.3:a:ibm:business_process_manager:8.5.0.1:::::::*
cpe:2.3:a:ibm:business_process_manager:7.5.1.0:::::::*
cpe:2.3:a:ibm:business_process_manager:8.0.0.0:::::::*
cpe:2.3:a:ibm:business_process_manager:8.0.1.2:::::::*
cpe:2.3:a:ibm:business_process_manager:7.5.0.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://secunia.com/advisories/60752
2	http://secunia.com/advisories/60752
3	http://secunia.com/advisories/60755
4	http://secunia.com/advisories/60755
5	http://secunia.com/advisories/60757
6	http://secunia.com/advisories/60757
7	http://www.securityfocus.com/bid/69264
8	http://www.securityfocus.com/bid/69264
9	http://www-01.ibm.com/support/docview.wss?uid=swg1JR50616	Vendor Advisory
10	http://www-01.ibm.com/support/docview.wss?uid=swg1JR50616	Vendor Advisory
11	http://www-01.ibm.com/support/docview.wss?uid=swg21679726	Patch Vendor Advisory
12	http://www-01.ibm.com/support/docview.wss?uid=swg21679726	Patch Vendor Advisory
13	https://exchange.xforce.ibmcloud.com/vulnerabilities/94112
14	https://exchange.xforce.ibmcloud.com/vulnerabilities/94112

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ibm:websphere_application_server:7.2::lombardi:::::
cpe:2.3:a:ibm:business_process_manager:8.5.0.0:::::::*
cpe:2.3:a:ibm:business_process_manager:7.5.0.0:::::::*
cpe:2.3:a:ibm:business_process_manager:8.0.1.0:::::::*
cpe:2.3:a:ibm:business_process_manager:8.0.1.1:::::::*
cpe:2.3:a:ibm:business_process_manager:8.5.5.0:::::::*
cpe:2.3:a:ibm:business_process_manager:7.5.1.2:::::::*
cpe:2.3:a:ibm:business_process_manager:7.5.1.1:::::::*
cpe:2.3:a:ibm:business_process_manager:8.5.0.1:::::::*
cpe:2.3:a:ibm:business_process_manager:7.5.1.0:::::::*
cpe:2.3:a:ibm:business_process_manager:8.0.0.0:::::::*
cpe:2.3:a:ibm:business_process_manager:8.0.1.2:::::::*
cpe:2.3:a:ibm:business_process_manager:7.5.0.1:::::::*