Security Bulletin: Vulnerability in Apache Commons IO may affect Cúram Social Program Management (CVE-2021-29425)

Summary

IBM Cúram Social Program Management uses the Apache Commons libraries, for which there is a publicly known vulnerability. For this vulnerability Apache Commons IO, when invoking the method FileNameUtils.normalize with an improper input string, the result would be the same value, thus possibly providing access to files in the parent directory.

Vulnerability Details

CVEID:CVE-2021-29425
**DESCRIPTION:**Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199852 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

7.0.11

| Visit IBM Fix Central and upgrade to 7.0.11_iFix4 or a subsequent 7.0.11 release.
Cúram SPM |

7.0.9

| Visit IBM Fix Central and upgrade to 7.0.9.0_iFix8 or a subsequent 7.0.9 release.

Workarounds and Mitigations

For information about all other versions, contact IBM Cúram Social Program Management customer support.