IBM webMethods Integration Server XML External Entity Injection Vulnerability Allowing Remote Code Execution

A vulnerability allowing XML external entity (XXE) injection has been identified in IBM webMethods Integration Server versions 10.5 (up to IS_10.5_Core_Fix26), 10.7 (up to IS_10.7_Core_Fix20), 10.11 (up to IS_10.11_Core_Fix14) and 10.15 (up to IS_10.15_Core_Fix10). This vulnerability allows remote authenticated attackers to execute arbitrary commands by exploiting the improper restriction of XML external entity references when the server processes XML data.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution on the server.

Remediation

Users are advised to upgrade to IBM webMethods Integration Server version IS_10.5_Core_Fix27 or later, IS_10.7_Core_Fix21 or later, IS_10.11_Core_Fix15 or later, or IS_10.15_Core_Fix11 or later. These fixes can be downloaded and installed via the IBM webMethods Update Manager. For more information on how to download webMethods software, refer to the IBM webMethods Support page.