Security Bulletin: Three vulnerabilities in IBM FileNet Content Manager, IBM Content Foundation and IBM FileNet BPM (CVE-2014-6593, CVE-2015-0410, and CVE-20150-0383)

2018-06-1712:10:11

www.ibm.com

5.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:N/I:P/A:C

JSON

Summary

Three security vulnerabilities exist in IBM FileNet Content Manager, IBM Content Foundation and IBM FileNet BPM. See the individual description for the details.

Vulnerability Details

CVEID:CVE-2014-6593**
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) **

CVEID:CVE-2015-0410**
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **

CVEID:CVE-2015-0383**
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C) **

Affected Products and Versions

IBM FileNet Content Manager 5.1.0, 5.2.0, 5.2.1 (includes CSS)
IBM Content Foundation 5.2.0, 5.2.1 (includes CSS)
IBM FileNet BPM 4.5.1, 5.0.0, 5.2.0

Remediation/Fixes

Upgrade to Java Runtime Environment (JRE) 1.6.0 SR16 FP3 or higher to avoid the security vulnerabilities listed in this Security Bulletin. By installing the applicable fixes in the table below, the private IBM JRE used by Process Engine (PE), Content Engine (CP/CPE) and Content Search Services (CSS) will be updated to 1.6.0 SR16 FP3.

Product	VRMF	Remediation/First Fix Available
FileNet Content Manager	5.1.0,
5.2.0,
5.2.1	5.2.0.3-P8CPE-IF006 - April 8, 2015
5.2.1.0-P8CPE-IF002 - April 8, 2015
5.1.0.0-P8CSS-IF011 - April 8, 2015
5.2.0.2-P8CSS-IF003 - April 8, 2015
5.2.1.0-P8CSS-IF001 - April 8, 2015
IBM Content Foundation	5.2.0,
5.2.1	5.2.0.3-P8CPE-IF006 - April 8, 2015
5.2.1.0-P8CPE-IF002 - April 8, 2015
5.2.0.2-P8CSS-IF003 - April 8, 2015
5.2.1.0-P8CSS-IF001 - April 8, 2015
FileNet BPM	4.5.1
5.0.0,
5.2.0	4.5.1.4-P8PE-IF007 - April 8, 2015
5.0.0.8-P8PE-IF001 - April 8, 2015
eProcess-5.2.0-001.005 – April 10, 2015

Workarounds and Mitigations

None

CPENameOperatorVersion
filenet content managereq5.2.1
filenet content managereq5.2.0
filenet content managereq5.1.0
filenet p8 platformeq5.0
filenet p8 platformeq4.5.1
filenet eprocesseq5.2

Name	Operator	Version
filenet content manager	eq	5.2.1
filenet content manager	eq	5.2.0
filenet content manager	eq	5.1.0
filenet p8 platform	eq	5.0
filenet p8 platform	eq	4.5.1
filenet eprocess	eq	5.2