Security Bulletin: Apache Commons Collections affects Cúram Social Program Management (CVE-2015-7450)

Summary

Cúram SPM uses the Apache Commons Collections Library. Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.

Vulnerability Details

CVEID: CVE-2015-7450 **DESCRIPTION:Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
CVSS Base Score: 9.8 *CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Cúram Social Program Management 5.2
IBM Cúram Social Program Management 6.0 SP2
IBM Cúram Social Program Management 6.0.4
IBM Cúram Social Program Management 6.0.5
IBM Cúram Social Program Management 6.1
IBM Care Management 6.0

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
Cúram SPM| 5.2 SP6| Visit IBM Fix Central and upgrade to 5.2 SP6 EP9 or a subsequent 5.2 Release
Cúram SPM| 6.0 SP2| Visit IBM Fix Central and upgrade to 6.0 SP2 EP28 or a subsequent 6.0 Release
Cúram SPM| 6.0.4.6| Visit IBM Fix Central and upgrade to 6.0.4.6 iFix2 or a subsequent 6.04 Release
Cúram SPM| 6.0.5| Visit IBM Fix Central and upgrade to 6.0.5.9 iFix1 or a subsequent 6.0.5 Release
Cúram SPM| 6.1| Visit IBM Fix Central and upgrade to 6.1.1 iFix1 or a subsequent 6.1 Release
Cúram Care Management| 6.0| See Workarounds & Mitigations

Workarounds and Mitigations

Care Management Release:

Customers should contact IBM Cúram support if they require a security fix.

For older revisions of Cúram SPM:

It is recommended that customers upgrade to the latest Cúram SPM release to resolve this issue. Customers may apply the following steps to resolve the issue while they prepare to upgrade.

The 3.2.2 version of the Commons Collections JAR should be used to replace the existing references at the following locations within the JDE deliverable:

- CuramSDEJ\lib\commons-collections-3.x.jar (for 5.2 releases, the version is “commons-collections-3.1.jar”, for all other releases it is “commons-collections-3.2.1.jar”) - rename the newly downloaded Commons Collections JAR to match the name of the Commons Collections JAR file that is present in this location. Replace the existing Commons Collection JAR with the new JAR. It is important to rename the new JAR to match the JAR being replaced as this will ensure that no build script changes are required as a result of this update.

- CuramCDEJ\lib\ext\jar\commons-collections.jar - replace this file with the newly downloaded JAR.

Customers can perform their process to test the changes, and then build and deploy to the required environment.