Security Bulletin: A Vulnerability in Apache Santuario affects IBM Cúram (CVE-2013-2172)

Summary

IBM Cúram is shipped with a third party library called Santuario, which is vulnerable to a Java spoofing attack.

Vulnerability Details

CVEID: CVE-2013-2172 DESCRIPTION: Apache Santuario XML Security for Java could allow a remote attacker to conduct spoofing attacks, caused by the failure to restrict canonicalization algorithms to be applied to the CanonicalizationMethod parameter. An attacker could exploit this vulnerability to spoof the XML signature.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85323 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Cúram Social Program Management 6.1
IBM Cúram Social Program Management 6.0.5
IBM Cúram Social Program Management 6.0.4
IBM Cúram Social Program Management 6.0 SP2
IBM Cúram Social Program Management 5.2 SP6
IBM Care Management 6.0

Remediation/Fixes

Product

| VRMF | Remediation/First Fix
—|—|—
Cúram SPM | 6.1 | Visit IBM Fix Central and upgrade to 6.1.0.1FixPack or a subsequent 6.1.0 release
Cúram SPM | 6.0.5 | Visit IBM Fix Central and upgrade to 6.0.5.9 or a subsequent 6.0.5 release
Cúram SPM | 6.0.4 | Visit IBM Fix Central and upgrade to 6.0.4.6iFix1 or a subsequent 6.0.4 release
Cúram SPM | 6.0 SP26 | Visit IBM Fix Central and upgrade to 6.0 SP2 EP27 or a subsequent 6.0 release
Cúram SPM | 5.2 SP6 | Cúram SPM 5.2 provides no OOTB supports for Axis 2 (See Workarounds & Mitigations)
Cúram Care Management | 6.0 | See Workarounds & Mitigations

Workarounds and Mitigations

If your 5.2 version of Cúram SPM is using Axis1 for web services the appropriate remediation is to upgrade to a more recent version of Cúram. If this is not viable, contact IBM Cúram Support for help with identification of mitigation.

For the Care Management release, the download site has been updated to warn potential customers of security issues. Customers should contact IBM Cúram Support if they require a security fix.