XStream is prone to multiple information-disclosure vulnerabilities.
An attacker can exploit these issues to gain access to sensitive information from the application; this may lead to further attacks.
Note: This issue was previously titled 'XStream XML External Entity Denial of Service Vulnerability'. The title has been changed to better reflect the vulnerability information.
Versions prior to XStream 1.4.9 are vulnerable.
Information
Oracle Utilities Framework 4.3.0.3.0
Oracle Utilities Framework 4.3.0.2.0
Oracle Utilities Framework 4.3.0.1.0
Oracle Utilities Framework 4.2.0.3.0
Oracle Utilities Framework 4.2.0.2.0
Oracle Utilities Framework 4.2.0.1.0
Oracle Utilities Framework 4.1.0.2.0
Oracle Utilities Framework 4.1.0.1.0
Oracle Utilities Framework 2.2.0.0.0
IBM Tivoli Netcool Configuration Manager 6.4.1
IBM Tivoli Netcool Configuration Manager 6.4.2.2
IBM Tivoli Netcool Configuration Manager 6.4.2.1
IBM Tivoli Netcool Configuration Manager 6.4.2.0
IBM Tivoli Netcool Configuration Manager 6.4.1.4
IBM Tivoli Netcool Configuration Manager 6.4.1.3
IBM Tivoli Netcool Configuration Manager 6.4.1.2
IBM Domino 8.5.3 FP 6 IF 13
IBM Domino 8.5
IBM Domino 9.0.1 FP 6 IF 1
IBM Domino 9.0 IF 4
References:
- x-stream Change History (x-stream)
- xstream Homepage (xstream)
- XXE vulnerability #25 (XStream)
- CVE request - XStream: XXE vulnerability (Seclists.org)
- Oracle Critical Patch Update Advisory - April 2017 (Oracle)
- swg21985960: IBM Domino is affected by an XStream XML information disclosure (CV (IBM)
- swg21992217: IBM Tivoli Netcool Configuration Manager (ITNCM) is affected by a v (IBM)