CVE-2015-0132 in Rational Requirements Composer
Summary
by MITRE
The XML parser in IBM Rational DOORS Next Generation 4.x before 4.0.7 iFix3 and 5.x before 5.0.2 and Rational Requirements Composer 2.x and 3.x before 3.0.1.6 iFix5 and 4.x before 4.0.7 iFix3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/14/2017
The vulnerability identified as CVE-2015-0132 represents a critical denial of service weakness in IBM Rational DOORS Next Generation and Rational Requirements Composer products. This flaw resides within the XML parsing functionality that fails to adequately monitor recursive entity expansion processes. The vulnerability manifests when the parser encounters specially crafted XML documents containing deeply nested entity references that can trigger excessive memory consumption. Attackers can exploit this by constructing XML payloads with numerous nested entity references, causing the application to consume escalating amounts of memory until system resources are exhausted and the service becomes unavailable. The issue demonstrates characteristics similar to CVE-2003-1564, which established precedent for XML parser vulnerabilities related to recursive entity handling and memory exhaustion attacks. This vulnerability affects multiple versions of IBM's requirements management and traceability tools, specifically impacting versions 4.x before 4.0.7 iFix3 and 5.x before 5.0.2 in DOORS Next Generation, along with Rational Requirements Composer versions 2.x and 3.x before 3.0.1.6 iFix5 and 4.x before 4.0.7 iFix3. The root cause of this vulnerability maps directly to CWE-400, which classifies it as an Uncontrolled Resource Consumption weakness, and more specifically aligns with CWE-128, representing excessive resource consumption due to recursive entity expansion. From an operational perspective, this vulnerability presents a significant risk to organizations relying on these tools for requirements management and system analysis, as it allows remote attackers to disrupt service availability without requiring authentication or elevated privileges. The attack vector is particularly concerning because it can be executed through simple XML document submission, making it accessible to attackers with minimal technical expertise. Organizations using these tools face potential business disruption, service degradation, and increased operational costs due to the need for emergency patches and system recovery procedures. The impact extends beyond immediate service interruption to include potential data loss scenarios if systems become unresponsive during critical requirements analysis or traceability operations. The vulnerability's classification under the ATT&CK framework would place it within the Denial of Service tactic, specifically targeting system availability through resource exhaustion techniques. The weakness stems from inadequate input validation and processing controls within the XML parser implementation, where proper recursion detection mechanisms are either missing or insufficient to prevent excessive entity expansion. Organizations should prioritize immediate patching of affected versions to address this vulnerability, while implementing network segmentation and XML validation controls as additional protective measures. The remediation process requires careful coordination with IBM support to ensure proper iFix installation without disrupting ongoing requirements management workflows. This vulnerability underscores the importance of proper XML parser security controls and highlights the ongoing challenge of recursive entity expansion in enterprise software applications.