Security Bulletin: IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to Spring Web Unsafe Deserialization [CVE-2016-1000027]

Summary

There is a vulnerability in the Spring Web open source library used by IBM OpenPages for IBM Cloud Pak for Data. This vulnerability has been addressed. [CVE-2016-1000027]

Vulnerability Details

CVEID:CVE-2016-1000027
**DESCRIPTION:**Pivota Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw in the library. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174367 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM OpenPages for IBM Cloud Pak for Data 8.300.x, 8.301.x or 8.302.x

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

If you are using IBM OpenPages for IBM Cloud Pak for Data 8.300.x, 8.301.x or 8.302.x, you will need to upgrade to

1. IBM Cloud Pak for Data Version 4.7or later** **

2. IBM OpenPages for IBM Cloud Pak for Data 8.302.2or later** **

Upgrade installation instructions are provided at the URL listed below:

<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.7.x?topic=openpages-upgrading&gt;

Workarounds and Mitigations

None