Security Bulletin: IBM FileNet Content Manager and Case Foundation security vulnerability in Process Orchestration Web Service logging

Summary

A security vulnerability in IBM FileNet Content Manager and Case Foundation, in some case, could contain user information in the log when Process Orchestration Web Services is invoked.

Vulnerability Details

CVEID: CVE-2019-4572 DESCRIPTION: IBM FileNet Content Manager in specific configurations, could log the web service user credentials into a log file that could be accessed by an administrator on the local machine.
CVSS Base Score: 4.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166798&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

FileNet Content Manager and Case Foundation 5.5.2, 5.5.3.
This security vulnerability only exists in 5.5.2.0-P8CPE-IF001, 5.5.2.0-P8CPE-IF002 and 5.5.3.0-P8CPE (GA).

Remediation/Fixes

To resolve these vulnerabilities, install one of the patch sets listed below.

5.5.2

5.5.3

| PJ45882
PJ45882
|

5.5.2.0-P8CPE-IF003 - 10/9/2019
5.5.3.0-P8CPE-IF001 - 9/27/2019

Workarounds and Mitigations

Stop use of Process Engine (PE) Process Orchestration’s advanced “Partner Links function”.