Security Bulletin: IBM FileNet Content Manager and IBM Enterprise Content Management Text Search security vulnerability in Apache PDFBox

Summary

Denial of service vulnerability may affect Apache PDFBox v1.8.15 used by IBM FileNet Content Manager and IBM Enterprise Content Management Text Search.

Vulnerability Details

CVEID: CVE-2018-11797
DESCRIPTION: Apache PDFBox is vulnerable to a denial of service, caused by a flaw when parsing the page tree. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/150898&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

FileNet Content Manager 5.2.1, 5.5.0, 5.5.1

Remediation/Fixes

To resolve these vulnerabilities, install one of the patch sets listed below to upgrade Apache PDFBox to v1.8.16.

5.2.1

5.5.0

5.5.1

| PJ45534
PJ45535

PJ45534 [

PJ45535

](<http://www.ibm.com/support/docview.wss?uid=swg1PJ45535&gt;)

PJ45534 [

PJ45535

](<http://www.ibm.com/support/docview.wss?uid=swg1PJ45535&gt;)

|

5.2.1.7-P8CPE-IF005 - 2/13/2019
5.2.1.7-P8CSS-IF005 - 2/13/2019
5.5.0.0-P8CPE-IF003 - 12/18/2018
5.5.0.0-P8CSS-IF003 - 12/18/2018
5.5.1.0-P8CPE-IF002 - 1/15/2019
5.5.1.0-P8CSS-IF002 - 1/15/2019

In the above table, the APAR links will provide more information about the fix.

Workarounds and Mitigations

None