Security Bulletin: IBM FileNet Content Manager affected by Apache PDFBox security vulnerability

Summary

IBM FileNet Content Manager has addressed the following security vulnerability.

Apache PDFBox is vulnerable to a denial of service, caused by an out of memory exception in AFMParser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.

For more information please refer to the X-Force database entries referenced below.

Vulnerability Details

CVEID: CVE-2018-8036
DESCRIPTION: Apache PDFBox is vulnerable to a denial of service, caused by an out of memory exception in AFMParser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145592&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM FileNet Content Manager 5.2.1, 5.5.0, 5.5.1

Remediation/Fixes

To address this vulnerability install one of the fixes listed below to upgrade to Apache PDFBox 1.8.15 or higher.

5.2.1

5.5.0

5.5.1

|

PJ45440
PJ45441
PJ45440
PJ45441
PJ45440
PJ45441

|

5.2.1.7-P8CPE-IF004 - 10/8/2018
5.2.1.7-P8CSS-IF004 - 10/8/2018
5.5.0.0-P8CPE-IF003 - 12/18/2018
5.5.0.0-P8CSS-IF003 - 12/18/2018
5.5.1.0-P8CPE-IF001 - 8/24/2018
5.5.1.0-P8CSS-IF002 - 1/15/2019

In the above table, the APAR links will provide more information about the fix

Workarounds and Mitigations

None