CVE-2021-20453/CVE-2021-20454: WebSphere Application Server XML External Entity Injection Vulnerability

WebSphere Application Server is a software product that performs the role of a web application server. More specifically, it is a software framework and middleware that hosts Java-based web applications. It is the flagship product within IBM’s WebSphere software suite. On April 20, 2021, WebSphere Application Server issued a vulnerability risk notice, containing 2 vulnerabilities, the vulnerability numbers are CVE-2021-20453, CVE-2021-20454 with the CVSS Base score of 8.2.
CVE-2018-1567

Vulnerability Detail

CVE-2021-20453

IBM WebSphere Application Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Affected version

WebSphere Application Server 9.0
WebSphere Application Server 8.5
WebSphere Application Server 8.0

Unaffected version

For V9.0.0.0 through 9.0.5.7:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH34067
–OR–
· Apply Fix Pack 9.0.5.8 or later (targeted availability 2Q2021).

For V8.5.0.0 through 8.5.5.19:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH34067
–OR–
· Apply Fix Pack 8.5.5.20 or later (targeted availability 3Q2021).

For V8.0.0.0 through 8.0.0.15:
· Upgrade to 8.0.0.15 and then apply Interim Fix PH34067

CVE-2021-20454

IBM WebSphere Application Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Affected version

WebSphere Application Server 9.0
WebSphere Application Server 8.5
WebSphere Application Server 8.0
WebSphere Application Server 7.0

Unaffected version

For V9.0.0.0 through 9.0.5.7:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH34048
–OR–
· Apply Fix Pack 9.0.5.8 or later (targeted availability 2Q2021).

For V8.5.0.0 through 8.5.5.19:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH34048
–OR–
· Apply Fix Pack 8.5.5.20 or later (targeted availability 3Q2021).

For V8.0.0.0 through 8.0.0.15:
· Upgrade to 8.0.0.15 and then apply Interim Fix PH34048
For V7.0.0.0 through 7.0.0.45:
· Upgrade to 7.0.0.45 and  then apply Interim Fix PH34048

Solution

In this regard, we recommend that users upgrade WebSphere Application Server to the latest version in time.