Security Bulletin: FileNet Content Management Interoperability Services (CMIS), which is shipped with IBM Content navigator, is affected by the ability to execute remote attacker’s arbitrary code on a target machine vulnerability

Summary

FileNet Content Management Interoperability Services (CMIS), which is shipped with IBM Content Navigator, has addressed the following vulnerability.
Ability to execute remote attacker’s arbitrary code on a target machine by leveraging the untrusted data in DiskFileItem class of FileUpload library

Vulnerability Details

CVEID: CVE-2016-1000031

DESCRIPTION: FileNet Content Management Interoperability Services (CMIS) could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of FileUpload library. A attacker could exploit this vulnerability to execute arbitrary code under the context of the current process. The affected “Commons FileUpload” version 1.3.2 has been upgraded to the fixed version 1.3.3

CVSS Base Score: 9.8
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/117957&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Content Navigator 2.0.3.8
IBM Content Navigator 3.0
IBM Content Navigator 3.0.1
IBM Content Navigator 3.0.2

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Content Navigator | 2.0.3.8| Download the fix ICN 2.0.3 FP8 LA 15 from IBM Fix central (https://www.ibm.com/support/fixcentral/) )
IBM Content Navigator| 3.0| Download the fix ICN 3.0 LA 12 from IBM Fix central (https://www.ibm.com/support/fixcentral/)
IBM Content Navigator| 3.0.1| Download the fix ICN 3.0.1 LA 05 from IBM Fix central (<https://www.ibm.com/support/fixcentral/&gt;)
IBM Content Navigator| 3.0.2| Download the fix ICN 3.0.2 LA 02 from IBM Fix central (<https://www.ibm.com/support/fixcentral/&gt;)

Workarounds and Mitigations

None