Security Bulletin: IBM FileNet Content Manager and Case Foundation are affected by Publicly disclosed vulnerability in Java July 2019

Summary

IBM FileNet Content Manager and Case Foundation has addressed the following vulnerabilities in versions 5.5.2 and 5.5.3.

Vulnerability Details

CVEID:CVE-2019-2762
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163826&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-2769
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163832&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

FileNet Content Manager and Case Foundation 5.5.2, 5.5.3

Remediation/Fixes

To resolve these vulnerabilities, install one of the patch sets listed below to upgrade IBM Java to the July/August 2019 release.
IBM Java 8.0.5.40

5.5.2

5.5.3

| PJ45868
PJ45868
|

5.5.2.0-P8CPE-IF003 - 10/9/2019
5.5.3.0-P8CPE-IF001 - 9/27/2019

Workarounds and Mitigations

Disable use of Process Engine Process Designer