CVE-2021-20453/CVE-2021-20454: WebSphere Application Server XML External Entity Injection Vulnerability
Vulnerability Detail
CVE-2021-20453
IBM WebSphere Application Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Affected version
WebSphere Application Server | 9.0 |
WebSphere Application Server | 8.5 |
WebSphere Application Server | 8.0 |
Unaffected version
For V9.0.0.0 through 9.0.5.7:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH34067
–OR–
· Apply Fix Pack 9.0.5.8 or later (targeted availability 2Q2021).
For V8.5.0.0 through 8.5.5.19:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH34067
–OR–
· Apply Fix Pack 8.5.5.20 or later (targeted availability 3Q2021).
For V8.0.0.0 through 8.0.0.15:
· Upgrade to 8.0.0.15 and then apply Interim Fix PH34067
CVE-2021-20454
IBM WebSphere Application Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Affected version
WebSphere Application Server | 9.0 |
WebSphere Application Server | 8.5 |
WebSphere Application Server | 8.0 |
WebSphere Application Server | 7.0 |
Unaffected version
For V9.0.0.0 through 9.0.5.7:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH34048
–OR–
· Apply Fix Pack 9.0.5.8 or later (targeted availability 2Q2021).
For V8.5.0.0 through 8.5.5.19:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH34048
–OR–
· Apply Fix Pack 8.5.5.20 or later (targeted availability 3Q2021).
For V8.0.0.0 through 8.0.0.15:
· Upgrade to 8.0.0.15 and then apply Interim Fix PH34048
For V7.0.0.0 through 7.0.0.45:
· Upgrade to 7.0.0.45 and then apply Interim Fix PH34048
Solution
In this regard, we recommend that users upgrade WebSphere Application Server to the latest version in time.