(CVE-2018-1821) - SecureMisr identifies an XXE vulnerability impacting IBM ODM Middleware

from : December 29, 2018 to: December 29, 2018

IBM has released a fixpack for its Operational Decision Manager (Rule Execution Server) Middleware software to address CVE-2018-1821. This vulnerability has been reported by SecureMisr’s senior consultant and researcher Mohamed Fouad.

 The vulnerability impact IBM Operational Decision Manager software versions 8.6,8.7,8.8 and 8.9. IBM Operational Decision Manager is vulnerable to a XML External Entity Injection (XXE) CVE-2018-1821 attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. Escalating this vulnerability to SSRF attack will allows an attacker to target internal systems behind the firewalls that are normally inaccessible to an attacker from the external network.

 SecureMisr is making this disclosure in accordance with its responsible disclosure practices after a fix has been released by IBM.