Security Bulletin: IBM Sterling Order Management is affected by Apache Commons BeanUtils security vulnerabilities (CVE-2019-10086)

Summary

IBM Sterling Order Management use Apache Commons BeanUtils and are affected by some of the vulnerabilities that exist in this component.

Vulnerability Details

CVEID:CVE-2019-10086
**DESCRIPTION:**Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/166353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

The recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes.

Product

|

_Security Fix Pack_*

|

How to acquire fix

—|—|—

IBM Sterling Order Management 9.4.0

|

9.4.0-SFP6

|

https://www.ibm.com/search?lang=en&cc=us&facetTabs=fixes&origin=fc&q=9.4.0.0%20Sterling%20SSFF%20Security&tabType[0]=support

_ _

Select appropriate VRMF

IBM Sterling Order Management 9.5.0

|

9.5.0-SFP5

| https://www.ibm.com/search?lang=en&cc=us&facetTabs=fixes&origin=fc&q=9.5.0.0%20Sterling%20SSFF%20Security&tabType[0]=support

_ _

Select appropriate VRMF

IBM Sterling Order Management 10.0

|

10.0-SFP2

|

https://www.ibm.com/search?lang=en&cc=us&facetTabs=fixes&origin=fc&q=Foundation10%20Security&tabType[0]=support

_ _

Select appropriate VRMF

Workarounds and Mitigations

None