CVE-2019-4062

Vulnerability

IBM i2 Intelligent Analysis Platform versions 9.0.0 through 9.1.1, including IBM i2 Analyst's Notebook and Analyst's Notebook Premium, are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. The vulnerability is present in the XML parser's handling of external entities, requiring no special configuration beyond default settings [1].

Exploitation

A remote attacker with low privileges (network access and valid credentials) can craft a malicious XML payload containing an external entity reference. Upon processing by the vulnerable component, the XML parser resolves the external entity, leading to information disclosure or resource consumption. No user interaction is required beyond the system processing the attacker-supplied XML [1].

Impact

Successful exploitation allows the attacker to expose sensitive information (confidentiality impact: high) or cause denial of service via memory consumption (availability impact: low). The attacker does not gain direct code execution but can read arbitrary files or perform server-side request forgery (SSRF) to internal resources [1].

Mitigation

IBM has released fixes for the affected versions. Administrators should apply the appropriate patch or upgrade as specified in the security bulletin (ibm10881746). As of the publication date (2019-07-30), no workarounds are documented, and the vendor strongly recommends updating to a fixed release [1].