CVE-2020-4949: WebSphere Application Server XXE Injection Vulnerability Alert

Recently, IBM officially released a security bulletin to fix an XML External Entity Injection (XXE) vulnerability (CVE-2020-4949) in the WebSphere Application Server (WAS), because WAS did not correctly process XML data. An attacker can use this vulnerability to remotely obtain sensitive information on the server.

WebSphere Application Server is a software product that performs the role of a web application server. More specifically, it is a software framework and middleware that hosts Java-based web applications. Because of its reliability, flexibility, and robustness, it is widely used in enterprise Web services.

Affected version

  • WebSphere Application Server 9.0.0.0 – 9.0.5.6
  • WebSphere Application Server 8.5.0.0 – 8.5.5.18
  • WebSphere Application Server 8.0.0.0 – 8.0.0.15
  • WebSphere Application Server 7.0.0.0 – 7.0.0.45

Unaffected version

  • WebSphere Application Server >= 9.0.5.7
  • WebSphere Application Server >= 8.5.5.19

Solution

In this regard, we recommend that users upgrade WebSphere Application Server to the latest version in time.