CVE-2021-20453/CVE-2021-20454: WebSphere Application Server XML External Entity Injection Vulnerability

Vulnerability Detail

CVE-2021-20453

IBM WebSphere Application Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Affected version

Unaffected version

For V9.0.0.0 through 9.0.5.7:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH34067
–OR–
· Apply Fix Pack 9.0.5.8 or later (targeted availability 2Q2021).

For V8.5.0.0 through 8.5.5.19:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH34067
–OR–
· Apply Fix Pack 8.5.5.20 or later (targeted availability 3Q2021).

For V8.0.0.0 through 8.0.0.15:
· Upgrade to 8.0.0.15 and then apply Interim Fix PH34067

CVE-2021-20454

IBM WebSphere Application Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Affected version

Unaffected version

For V9.0.0.0 through 9.0.5.7:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH34048
–OR–
· Apply Fix Pack 9.0.5.8 or later (targeted availability 2Q2021).

For V8.5.0.0 through 8.5.5.19:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH34048
–OR–
· Apply Fix Pack 8.5.5.20 or later (targeted availability 3Q2021).

For V8.0.0.0 through 8.0.0.15:
· Upgrade to 8.0.0.15 and then apply Interim Fix PH34048
For V7.0.0.0 through 7.0.0.45:
· Upgrade to 7.0.0.45 and  then apply Interim Fix PH34048

Solution

In this regard, we recommend that users upgrade WebSphere Application Server to the latest version in time.