A fix is available
APAR status
Closed as program error.
Error description
DETAIL OF PROBLEM: XML External Entity (XXE) - The application is vulnerable to XXE attack. This can cause server to be out of service (DOS), get request from the server (SSRF) and access local/remote files. All this happen when the SC server working on the xml file with configured AD/LDAP authentication RECREATE STEPS: When configure ldap settings, we can upload XML files. The analyze of the XML file on the SC server does not do any check or filter to the code written in the XML file.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Control 5.2.x and 5.3.x users * **************************************************************** * PROBLEM DESCRIPTION: * * IBM Spectrum Control is vulnerable to XML External * * Entity (XXE) attack. * * * * This can cause server to be out of service (DOS), to * * get request from the server (SSRF) and access * * local/remote files. * * * * The vulnerability in Spectrum Control can only be * * invoked by a Spectrum Control administrator, while * * logged in, by uploading a malicious XML file for * * configuring AD/LDAP authentication. * * * * The vulnerability is fixed in Spectrum Control * * versions 5.2.17.4 and 5.3.3 * **************************************************************** * RECOMMENDATION: * * Apply fix maintenance when available. * ****************************************************************
Problem conclusion
The fix for this APAR is contained in the following releases: IBM Spectrum Control 5.3.3 5.3.3-IBM-SC | May 2019 IBM Spectrum Control 5.2.17.4 5.2.17-TIV-TPC-FP0003 | August 2019 http://www.ibm.com/support/docview.wss?&uid=swg21320822
Temporary fix
Comments
APAR Information
APAR number
IT27938
Reported component name
TPC ADVANCED
Reported component ID
5608TPCA0
Reported release
52A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-01-31
Closed date
2019-09-18
Last modified date
2019-09-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TPC ADVANCED
Fixed component ID
5608TPCA0
Applicable component levels
[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSNECY","label":"Tivoli Storage Productivity Center Advanced"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"52A"}]
Document Information
Modified date:
24 June 2022