Security Bulletin
Summary
IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks.
Vulnerability Details
CVEID: CVE-2021-33813
DESCRIPTION: JDOM is vulnerable to a denial of service, caused by an XXE issue in SAXBuilder. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203804 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
DESCRIPTION: JDOM is vulnerable to a denial of service, caused by an XXE issue in SAXBuilder. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203804 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| Manage Component | 8.2, 8.3, 8.4 |
| Manage Component in IBM Maximo Application Suite as a Service | 8.4 |
| IBM Maximo Asset Management | 7.6.1.3 |
| IBM Maximo Asset Management | 7.6.1.2 |
| IBM Maximo Asset Management | 7.6.1.1 |
Remediation/Fixes
See Workarounds and Mitigations.
Workarounds and Mitigations
A configuration to prevent xml external entities from being resolved is provided. Use the following steps to ensure that the vulnerability is addressed:
1. Go to the System Properties application and search for mxe.int.resolvexmlextentity. If it is not present, add it.
2. Ensure the value is set to 0. This is the secure setting.
3. If needed, save and perform a Live Refresh.
3. If needed, save and perform a Live Refresh.
Get Notified about Future Security Bulletins
References
Off
Change History
13 Jul 2022: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"ARM Category":[{"code":"a8m0z000000cvcNAAQ","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1"},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS5RRF","label":"IBM Maximo for Aviation"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.8, 7.6.7, 7.6.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLL8M","label":"Maximo for Nuclear Power"},"ARM Category":[{"code":"a8m0z000000cvcNAAQ","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1"},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLL84","label":"Maximo for Life Sciences"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWT9A","label":"IBM Control Desk"},"ARM Category":[{"code":"a8m0z000000bntEAAQ","label":"Miscellaneous Category (Portal, UI, Maximo, Install)-\u003ESecurity"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1"},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLL9G","label":"Maximo for Oil and Gas"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLLAM","label":"Maximo for Utilities"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0.2, 7.6.0.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKVFR","label":"Maximo for Service Providers"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.3.3, 7.6.3.2, 7.6.3.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLL9Z","label":"Maximo for Transportation"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.2.5, 7.6.2.4, 7.6.2.3","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSG2D3","label":"Maximo Spatial Asset Management"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0.5, 7.6.0.4, 7.6.0.3, 7.6.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLKSJ","label":"Maximo Asset Configuration Manager"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.7.1, 7.6.7, 7.6.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Was this topic helpful?
Document Information
Modified date:
10 January 2023
UID
ibm16607163