Security Bulletin: Vulnerability in Apache Batik affects IBM Cúram Social Program Management (CVE-2018-8013)

Summary

IBM Cúram Social Program Management uses the Apache Batik Library. In Apache Batik library prior to version 1.10, the class type has not being checked during the deserialization process of the subclass of AbstractDocument. Fix has been put in place to check the class type before instantiating during the deserialization process

Vulnerability Details

CVEID: CVE-2018-8013 DESCRIPTION: Apache Batik could allow a remote attacker to obtain sensitive information, which is caused by an error during the deserialization of the “AbstractDocument” subclass. An attacker could exploit the vulnerability to reveal files and obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143678&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Cúram Social Program Management 7.0.2.0 - 7.0.4.0
IBM Cúram Social Program Management 7.0.0.0 - 7.0.1.0
IBM Cúram Social Program Management 6.2.0.0 - 6.2.0.6
IBM Cúram Social Program Management 6.1.0.0 - 6.1.1.6
IBM Cúram Social Program Management 6.0.5.0 - 6.0.5.10

Remediation/Fixes

7.0.4

| Visit IBM Fix Central and upgrade to 7.0.4.0 or a subsequent 7.0.4 release.
Cúram SPM |

7.0.1

| Visit IBM Fix Central and upgrade to 7.0.1.3 or a subsequent 7.0.1 release.
Cúram SPM |

6.2.0

| Visit IBM Fix Central and upgrade to 6.2.0.6 iFix2 or a subsequent 6.2.0 release.
Cúram SPM |

6.1.1

| Visit IBM Fix Central and upgrade to 6.1.1.6 iFix2 or a subsequent 6.1.1 release.
Cúram SPM |

6.0.5

| Visit IBM Fix Central and upgrade to 6.0.5.10 iFix4 or a subsequent 6.0.5.10 release.

Workarounds and Mitigations

For information about all other versions, contact IBM Cúram Social Program Management customer support.