UIM security Vulnerability for Microsoft XML Parser
search cancel

UIM security Vulnerability for Microsoft XML Parser

book

Article ID: 118613

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Have a security vulnerability raised on UIM related to MSXML 4.0 installed on Windows with Infrastructure Manager.

Following are the remarks from security tool:

**EOL/Obsolete Software: Microsoft XML Parser and Microsoft XML Core Services (MSXML) 4.0 Detected **"Microsoft XML Core Services (MSXML), formerly known as the Microsoft XML Parser, can be used to build XML-based applications that follow the World Wide Web Consortium (W3C) XML standards.

MSXML is a Component Object Model (COM) implementation of the W3C DOM model.
**Microsoft ended support for Microsoft XML Parser and Microsoft XML Core Services (MSXML) 4.0 on April 12, 2014 and provides no further support."

Since the vendor no longer providers software updates, this version is most susceptible to security vulnerabilities. Depending on the vulnerability being exploited, an unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the targeted system.

Environment

UIM 20.x, 9.X and earlier
Infrastructure manager 4.X and earlier
 

Resolution

The IM client installs a SOAP-runtime-TK3 package which lays down the msxml4.dll and this is required for parsing the Nimsoft Archive listing of probes.

If this is removed the IM client will be unable to access the web Archive.  You can use Admin Console or download directly from support.nimsoft.com instead.

As of the release of UIM 23.4 it is upgraded to MSXML 6.0.

Additional Information

MSXML Parser 4.0 is being used earlier than 20.4CU8 and it is upgraded to MSXML 6.0 version in UIM 23.4 release.