Lucene search

K
ibmIBM891E5F0424A107621BE648D5F1576C607F7834B3BC114E0F945E5010BA70A9F3
HistoryMar 05, 2020 - 12:02 p.m.

Security Bulletin: Vulnerability in Apache Commons Beanutils library affect IBM Cúram Social Program Management (CVE-2019-10086)

2020-03-0512:02:12
www.ibm.com
4

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Summary

IBM Cúram Social Program Management uses the Apache Commons Beanutils library, for which there is a publicly known vulnerability. The vulnerability could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.

Vulnerability Details

CVEID:CVE-2019-10086
**DESCRIPTION:**Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/166353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Curam SPM 7.0.5.0 - 7.0.8
Curam SPM 7.0.0.0 - 7.0.4.4
Curam SPM 6.2.0.0 - 6.2.0.6
Curam SPM 6.1.0.0 - 6.1.1.6
Curam SPM 6.0.5.0 - 6.0.5.10

Remediation/Fixes

Product VRMF Remediation/First Fix
Cúram SPM

7.0.9

| Visit IBM Fix Central and upgrade to 7.0.9 or a subsequent 7.0.9 release.
Cúram SPM |

7.0.4.4

| Visit IBM Fix Central and upgrade to 7.0.4.4_iFix1 or a subsequent 7.0.4.4 release.
Cúram SPM |

6.2.0.6

| Visit IBM Fix Central and upgrade to 6.2.0.6_iFix4 or a subsequent 6.2.0.6 release.
Cúram SPM |

6.1.1.6

| Visit IBM Fix Central and upgrade to 6.1.1.6_iFix4 or a subsequent 6.1.1.6 release.
Cúram SPM | 6.0.5.10 | Visit IBM Fix Central and upgrade to 6.0.5.10_iFix5 or a subsequent 6.0.5.10 release.

Workarounds and Mitigations

For information about all other versions, contact IBM Cúram Social Program Management customer support.

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P