CVE-2012-5769

Vulnerability

IBM SPSS Modeler versions 14.0, 14.1, 14.2 through FP3, and 15.0 before FP2 are vulnerable to an XML External Entity (XXE) injection flaw. The vulnerability exists in the XML parser when it processes specially crafted XML documents. An attacker can exploit this by embedding an XML external entity declaration along with an entity reference in a document that a victim opens in the application. No special configuration or privilege is required beyond the user opening the malicious file [1].

Exploitation

The attacker must craft an XML document containing a malicious <!ENTITY> declaration that points to external resources. The victim must be tricked into opening this document with IBM SPSS Modeler. The XML parser then resolves the external entity, which can trigger the reading of local files (e.g., file:///etc/passwd) or cause the application to send HTTP requests to internal or external servers, and can also lead to CPU and memory exhaustion due to entity expansion or resource consumption [1].

Impact

Successful exploitation results in potential disclosure of sensitive files from the victim's filesystem. The attacker may also use the victim's system as a pivot to probe or attack intranet servers via HTTP requests. Additionally, the entity resolution can be crafted to consume excessive CPU and memory, leading to a denial of service condition that affects the availability of the application [1].

Mitigation

IBM has released fixes in the form of Fix Packs: for version 14.2 through 15.0, applying the appropriate Fix Pack resolves the issue. Version 15.0 FP2 and later are unaffected. No workarounds are known; users are advised to apply the recommended updates as soon as practical [1].