Security Bulletin: Remote code execution vulnerability (CVE-2019-11269) affects IBM Spectrum Symphony 7.2.1 and 7.2.0.2

Summary

A remote code execution vulnerability exists in the Spring Security OAuth version used by IBM Spectrum Symphony 7.2.1 and 7.2.0.2. Interim fixes that provide instructions on upgrading the Spring Security OAuth package to version 2.0.18 (which resolves this vulnerability) are available on IBM Fix Central.

Vulnerability Details

CVE-ID: CVE-2019-11269 Description: Spring Security OAuth could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using redirect_uri parameter in a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base Score: 7.4
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/162650&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

IBM Spectrum Symphony 7.2.1

IBM Spectrum Symphony 7.2.0.2

Remediation/Fixes

Download the interim fixes that correspond to your product version from IBM Fix Central, then follow the steps in the accompanying readme to apply the interim fix on Linux x86_64 hosts in your cluster:

IBM Spectrum Symphony 7.2.1 (x86_64)

|

sym-7.2.1-build523774

—|—

IBM Spectrum Symphony 7.2.0.2 (x86_64)

|

sym-7.2.0.2-build523769

Workarounds and Mitigations

None.