CVE-2018-17152

Vulnerability

InterSystems Cache versions 2017.2.2.865.0 and 2018.1.2 contain an XML External Entity (XXE) processing vulnerability, as described in reference [1]. The vulnerability exists in the application's handling of XML data, allowing an attacker to include external entities in XML documents processed by the server. The affected versions are explicitly named in the advisory [1].

Exploitation

An attacker can exploit the XXE vulnerability by sending a crafted XML payload to a vulnerable endpoint of the InterSystems Cache application. The attack requires no authentication as the vulnerable endpoint is accessible remotely without prior login [1]. The attacker must entice a user or application to process the malicious XML, which can be achieved through a web request or by uploading an XML file that the server then parses. The advisory notes that the vulnerability can be triggered by an unauthenticated remote user [1].

Impact

Successful exploitation of the XXE vulnerability allows an attacker to read arbitrary files from the server file system, including sensitive configuration files or data. The advisory mentions that XXE can lead to information disclosure, which may enable further attacks [1]. The impact is high, as it compromises confidentiality and could expose credentials, database files, or other critical data [1].

Mitigation

InterSystems has released Cache version 2018.1.2 on March 14, 2019, which includes some security fixes, but the advisory states that the XXE vulnerability was not remediated in that release [1]. Users are advised to update to the latest available version from InterSystems to mitigate the issue. As a workaround, the advisory recommends disabling the samples application and avoiding the use of Private Pages functionality as an authorization mechanism [1]. No CVE-specific fix was announced for the XXE issue in the referenced source. The vulnerability is not listed on the CISA KEV catalog at the time of writing.