ESB-2018.3072.2 - UPDATE [Win][Linux][HP-UX][Solaris][AIX] IBM FileNet Content Manager: Multiple vulnerabilities 2019-01-17

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.3072.2
        Security Bulletin: IBM FileNet Content Manager affected by
                     multiple security vulnerabilities
                              17 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM FileNet Content Manager
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-18224 CVE-2018-18223 CVE-2018-8036
                   CVE-2018-3302 CVE-2018-3234 CVE-2018-3233
                   CVE-2018-3232 CVE-2018-3231 CVE-2018-3230
                   CVE-2018-3229 CVE-2018-3228 CVE-2018-3227
                   CVE-2018-3226 CVE-2018-3225 CVE-2018-3224
                   CVE-2018-3223 CVE-2018-3222 CVE-2018-3221
                   CVE-2018-3220 CVE-2018-3219 CVE-2018-3218
                   CVE-2018-3217 CVE-2018-3147 CVE-2012-5783

Reference:         ESB-2018.3960
                   ESB-2018.3072
                   ESB-2018.2891
                   ESB-2018.2484
                   ESB-2018.2465
                   ESB-2018.2119
                   ESB-2018.2117
                   ESB-2018.2085
                   ESB-2018.2070
                   ESB-2018.2043
                   ESB-2018.1983

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10731533
   http://www.ibm.com/support/docview.wss?uid=ibm10736035
   http://www.ibm.com/support/docview.wss?uid=ibm10716315

Comment: This bulletin contains three (3) advisories.

Revision History:  January 17 2019: Updated to include latest advisories
                   October 11 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM FileNet Content Manager affected by Apache HttpClient
security vulnerability

Document information

Software version: 5.2.1

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 0731533

Modified date: 09 October 2018

Summary

Security vulnerability may affect Apache HttpClient used by IBM FileNet
Content Manager.

Vulnerability Details

CVEID: CVE-2012-5783
DESCRIPTION: Apache Commons HttpClient could allow a remote attacker to
conduct spoofing attacks, caused by the failure to verify that the server
hostname matches a domain name in the subject's Common Name (CN) field of the
X.509 certificate. By persuading a victim to visit a Web site containing a
specially-crafted certificate, an attacker could exploit this vulnerability
using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
79984 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Remediation/Fixes

To resolve these vulnerabilities, install one of the releases below.

+--------------------------------+---------+------------+--------------------------------------------+
|Product                         |VRMF     |APAR        |Remediation/First Fix                       |
+--------------------------------+---------+------------+--------------------------------------------+
|FileNet Content Manager         |5.2.1    |PJ45429     |5.2.1.7-P8CPE-IF004 - 10/8/2018             |
+--------------------------------+---------+------------+--------------------------------------------+

In the above table, the APAR links will provide more information about the
fix.

Workarounds and Mitigations

None

Change History

8 October, 2018 - initial release

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: IBM FileNet Content Manager affected by Apache HttpClient

security vulnerability

Document information

Software version: 5.2.1

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 0731533

Modified date: 09 October 2018

Summary

Security vulnerability may affect Apache HttpClient used by IBM FileNet
Content Manager.

Vulnerability Details

CVEID: CVE-2012-5783
DESCRIPTION: Apache Commons HttpClient could allow a remote attacker to
conduct spoofing attacks, caused by the failure to verify that the server
hostname matches a domain name in the subject's Common Name (CN) field of the
X.509 certificate. By persuading a victim to visit a Web site containing a
specially-crafted certificate, an attacker could exploit this vulnerability
using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
79984 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Remediation/Fixes

To resolve these vulnerabilities, install one of the releases below.

+--------------------------------+---------+------------+--------------------------------------------+
|Product                         |VRMF     |APAR        |Remediation/First Fix                       |
+--------------------------------+---------+------------+--------------------------------------------+
|FileNet Content Manager         |5.2.1    |PJ45429     |5.2.1.7-P8CPE-IF004 - 10/8/2018             |
+--------------------------------+---------+------------+--------------------------------------------+

In the above table, the APAR links will provide more information about the
fix.

Workarounds and Mitigations

None

Change History

8 October, 2018 - initial release

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: IBM FileNet Content Manager affected by Apache PDFBox

Component: Content Platform Engine, Content Search Services

Software version: 5.2.1, 5.5.0, 5.5.1

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 0716315

Summary

IBM FileNet Content Manager has addressed the following security vulnerability.

Apache PDFBox is vulnerable to a denial of service, caused by an out of memory
exception in AFMParser. By persuading a victim to open a specially-crafted
file, a remote attacker could exploit this vulnerability to cause the
application to enter into an infinite loop.

For more information please refer to the X-Force database entries referenced
below.

Vulnerability Details

CVEID: CVE-2018-8036
DESCRIPTION: Apache PDFBox is vulnerable to a denial of service, caused by an
out of memory exception in AFMParser. By persuading a victim to open a
specially-crafted file, a remote attacker could exploit this vulnerability to
cause the application to enter into an infinite loop.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
145592 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM FileNet Content Manager 5.2.1, 5.5.0, 5.5.1

Remediation/Fixes

To address this vulnerability install one of the fixes listed below to upgrade
to Apache PDFBox 1.8.15 or higher.

+-----------------------------------+-------+----------+---------------------------------+
|Product                            |VRMF   |APAR      |Remediation/First Fix            |
+-----------------------------------+-------+----------+---------------------------------+
|FileNet Content Manager            |5.2.1  |PJ45440   |5.2.1.7-P8CPE-IF004 - 10/8/2018  |
|                                   |       |PJ45441   |5.2.1.7-P8CSS-IF004 - 10/8/2018  |
|                                   |5.5.0  |PJ45440   |5.5.0.0-P8CPE-IF003 - 12/18/2018 |
|                                   |       |PJ45441   |5.5.0.0-P8CSS-IF003 - 12/18/2018 |
|                                   |5.5.1  |PJ45440   |5.5.1.0-P8CPE-IF001 - 8/24/2018  |
|                                   |       |PJ45441   |5.5.1.0-P8CSS-IF002 - 1/15/2019  |
+-----------------------------------+-------+----------+---------------------------------+
In the above table, the APAR links will provide more information about the fix

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity
service. If you are not subscribed, see the instructions on the System z
Security web site. Security and integrity APARs and associated fixes will be
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

8 October, 2018: Original Version Published
16 January, 2019: Added 5.5.0 and 5.5.1.0-P8CSS-IF002 releases

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

Modified date: 16 January 2019

- --------------------------------------------------------------------------------

Security Bulletin: IBM FileNet Content Manager affected by Apache HttpClient

Component: Content Platform Engine

Software version: 5.2.1, 5.5.0, 5.5.1

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 0731533


Summary

Security vulnerability may affect Apache HttpClient used by IBM FileNet Content
Manager.

Vulnerability Details

CVEID: CVE-2012-5783
DESCRIPTION: Apache Commons HttpClient could allow a remote attacker to conduct
spoofing attacks, caused by the failure to verify that the server hostname
matches a domain name in the subject's Common Name (CN) field of the X.509
certificate. By persuading a victim to visit a Web site containing a
specially-crafted certificate, an attacker could exploit this vulnerability
using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
79984 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Content Manager 5.2.1, 5.5.0, 5.5.1

Remediation/Fixes

To resolve these vulnerabilities, install one of the releases below.

+--------------------------------+---------+------------+------------------------------- +
|Product                         |VRMF     |APAR        |Remediation/First Fix           |
+--------------------------------+---------+------------+------------------------------- +
|FileNet Content Manager         |5.2.1    |PJ45429     |5.2.1.7-P8CPE-IF004 - 10/8/2018 |
|                                |5.5.0    |PJ45429     |5.5.0.0-P8CPE-IF003 - 12/14/2018|
|                                |5.5.1    |PJ45429     |5.5.1.0-P8CPE-IF002 - 1/15/2019 |
+--------------------------------+---------+------------+--------------------------------+
+--------------------------------+---------+------------+--------------------------------+


In the above table, the APAR links will provide more information about the fix.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

8 October, 2018 - initial release
15 January, 2019 - Added 5.5.0 and 5.5.1 releases

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

Modified date: 16 January 2019

- --------------------------------------------------------------------------------

Security Bulletin: Publicly disclosed vulnerability in Oracle Outside In
Technology used by IBM FileNet Content Manager

Component: Content Platform Engine, Content Search Services

Software version: 5.2.1, 5.5.0, 5.5.1, 5.5.2

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 0736035

Summary

Multiple vulnerabilities may affect Oracle Outside In Technology (OIT) Version
8.5.3 used by IBM FileNet Content Manager. Oracle OIT issues disclosed in the
Oracle October 2018 Critical Patch Update.

Vulnerability Details

CVEID: CVE-2018-18224
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters (ODA Module) component could
allow an unauthenticated attacker to cause low confidentiality impact, no
integrity impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151427 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3227
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151542 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3226
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151541 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3218
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause high confidentiality impact, low integrity
impact, and no availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151533 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

CVEID: CVE-2018-3229
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151544 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3217
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause high confidentiality impact, low integrity
impact, and no availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151532 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

CVEID: CVE-2018-3228
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151543 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3219
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause high confidentiality impact, no integrity
impact, and low availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151534 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L)

CVEID: CVE-2018-3230
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151545 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3232
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151547 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3221
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151536 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3231
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151546 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3220
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause high confidentiality impact, no integrity
impact, and low availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151535 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L)

CVEID: CVE-2018-3223
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151538 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3234
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151549 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3233
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151548 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3222
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151537 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3225
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151540 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3302
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151614 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3224
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to cause low confidentiality impact, no integrity
impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151539 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID: CVE-2018-3147
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters component could allow an
unauthenticated attacker to obtain sensitive information resulting in a low
confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151463 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-18223
DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related
to the Outside In Technology Outside In Filters (ODA Module) component could
allow an unauthenticated attacker to cause low confidentiality impact, no
integrity impact, and high availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
151426 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

Affected Products and Versions

FileNet Content Manager 5.2.1, 5.5.0, 5.5.1, 5.5.2

Remediation/Fixes

To resolve these vulnerabilities, install one of the patch sets listed below to
upgrade Oracle Outside In Technology (OIT) to the July 2018 v8.5.3 patch
28760615 release.

+-------------------------------------+----------+--------------+----------------------------------------------------+
|Product                              |VRMF      |APAR          |Remediation/First Fix                               |
+-------------------------------------+----------+--------------+----------------------------------------------------+
|FileNet Content Manager              |5.2.1     |PJ45551       |5.2.1.7-P8CPE-ALL-LA015 - 1/18/2019                 |
|                                     |5.5.0     |PJ45552       |5.2.1.7-P8CSS-ALL-LA004 - 1/18/2019                 |
|                                     |5.5.1     |PJ45551       |5.5.0.0-P8CPE-ALL-LA004 - 1/18/2019                 |
|                                     |5.5.2     |PJ45552       |5.5.0.0-P8CSS-ALL-LA002 - 1/18/2019                 |
|                                     |          |PJ45551       |5.5.1.0-P8CPE-IF002 - 1/15/2019                     |
|                                     |          |              |5.5.1.0-P8CSS-IF002 - 1/15/2019                     |
|                                     |          |PJ45552       |5.5.2.0-P8CPE-ALL-LA003 - 1/18/2019                 |
|                                     |          |PJ45551       |5.5.2.0-P8CSS-ALL-LA001 - 1/18/2019                 |
|                                     |          |PJ45552       |                                                    |
+-------------------------------------+----------+--------------+----------------------------------------------------+


In the above table, the APAR links will provide more information about the fix.
Contact IBM support for access to the Limited Availability (LA) fixes.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

16 January, 2019 - Initial release

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

Modified date: 16 January 2019

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXEAM2GaOgq3Tt24GAQjEsxAAjYWvyeX+UFoWgW0ZYVPJifZzeQk3Z/M8
R+k285ckN2GI1ftFbFUPxFH+3p8Z/ElCfC8fpZ6qSl8odMldO9DCcNzCm9I8vxSx
HDvm4Hn4KvJEgo+skdZQTd9AXYsbmciZp85g83QzbhTn3MXSt23ZRQhQApwOb0Hn
Q4wCMiObx/ukflItSwG9hAhQBV7hH6itWohA9liANzsXoesdwx4j75VHVLK8iCAU
QaF9Ugd4mi7SIPUydD4/QGHJaCpoNd7bpUcQr0/r3uv1McpQtT67BUORr838tI31
xrHuLv8jwRDC0A+uyFFD/Cdk89puCClOn+utuCLtgsBSxw1rN4AHYU0XIcMW2BM9
BsolxPDLkj3RjuKeAejHF2s6lXm+387GwU488wYIdiNJ1p2mp4ibRPafmfenmVhw
Kc232qPGkRI/fAMOPM0PaAJq1tCSfUZVugutZIJQcUEEyzAOICn5FqRaQ/IfqFdZ
cUE7m+/oiuYfZQa/Ts3TD0+tucmw/7F+8SCSRztgSRykGECKISaP0Ot3ehND/178
WNqjgoT4yNhQ4L5Z8zDgwWQ7O1XRkJ+KkqX+rv6z81IU0Q19RfE6Go4eCi8A7y/O
3Wa8YzKPGIJL1dX5EmU6jVqBT/0XVhPgQiRB0JCMSe6E3sXA7Q6wFzxrTB/CK+tJ
WYh900q8Rok=
=ulX7
-----END PGP SIGNATURE-----

« Back to bulletins