WebSphere XML External Entity Injection Vulnerability (CVE-2020-4643) Handling Guide

WebSphere XML External Entity Injection Vulnerability (CVE-2020-4643) Handling Guide

October 14, 2020 | Adeline Zhang

Vulnerability Description

Recently, IBM released a security bulletin to announce the fix of an XML external entity injection (XXE) vulnerability (CVE-2020-4643) on WebSphere Application Server (WAS). Since WAS fails to properly process XML data, a remote attacker could exploit this vulnerability to obtain sensitive information on the server.

The NSFOCUS security research team reported CVE-2020-4643 to IBM. CVE-2020-4643 can be used in combination with CVE-2020-4450 to trigger an XXE vulnerability that requires no authentication to exploit, thereby causing the disclosure of sensitive server information. The vulnerability is comparatively easy to exploit and involves high risks. Affected users should take preventive measures as soon as possible.

WAS is reliable, flexible, and robust enterprise-class web middleware. It has been widely applied to enterprises’ web services.

Screenshot of reproducing server information read without authentication:

Reference link:

https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-information-exposure-vulnerability-cve-2020-4643

Scope of Impact

Affected versions

  • WebSphere Application Server 9.0.0.0 – 9.0.5.5
  • WebSphere Application Server 8.5.0.0 – 8.5.5.17
  • WebSphere Application Server 8.0.0.0 – 8.0.0.15
  • WebSphere Application Server 7.0.0.0 – 7.0.0.45

Note: Official support is no longer available for WebSphere Application Server V7.0 and V8.0.

Check for the Vulnerability

  • Version Check

Related users can check whether their applications are vulnerable by checking the current version.

Method 1: Log in to WebSphere Administrator to view version information.

If it is one of the affected versions, the application is vulnerable.

Method 2: Go to the /opt/IBM/WebSphere/AppServer/bin directory and run the command ./versionInfo.sh to check the current version and the Package date. If the Package date is earlier than 20200902, the application is vulnerable.

./versionInfo.sh
  • Detection with NSFOCUS Product

NSFOCUS Unified Threat Sensor (UTS) is capable of detecting the vulnerability. Please upgrade it to the latest version.

ProductVersionDownload Link
UTS5.6.10.23620http://update.nsfocus.com/update/downloads/id/108759

Mitigation

  • Official Fix

Currently, IBM has released patches to fix the vulnerability and provided security patches to the versions for which official support is no longer available. Affected users are advised to install the patches as soon as possible.

Affected users can upgrade with IBM Installation Manager by updating the versions and applying the patches as prompted.

Users can also download and install the patches from the official website of IBM.

Affected VersionFixesPatch Download Link
9.0.0.0 – 9.0.5.5Security Patch PH27509https://www.ibm.com/support/pages/node/6333617
8.5.0.0 – 8.5.5.17Security Patch PH27509
8.0.0.0 – 8.0.0.15Upgrade to version 8.0.0.15 and apply the Patch PH27509
7.0.0.0 – 7.0.0.45Upgrade to version 7.0.0.45 and apply the Patch PH27509

Note: Please disable the WebSphere service before installing the patches and start the service after patch installation.

  • Protection with NSFOCUS Product

NSFOCUS Network Intrusion Protection System (NIPS) has released related rules to defend against this vulnerability. Users are advised to update the rule base to the latest versions to ensure that the security product can effectively protect against this vulnerability. The following table lists the rule base versions of security products.

ProductRule Base VersionDownload Link
IPS5.6.9.23620http://update.nsfocus.com/update/downloads/id/108741
5.6.10.23620http://update.nsfocus.com/update/downloads/id/108742

For how to update product rules, click the following link:

IPS: https://mp.weixin.qq.com/s/JsRktENQNj1TdZSU62N0Ww

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS      

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.