Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect FileNet Content Manager, IBM Content Foundation and FileNet BPM (CVE-2015-0488, CVE-2015-0478, CVE-2015-1916)

2018-06-1712:11:01

www.ibm.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

Summary

There are multiple vulnerabilities in the IBM Runtime Environment Java Technology Edition used by FileNet Content Manager, IBM Content Foundation and FileNet Business Process Manager. These issues are addressed in Version 1.6.0 SR16 FP4 which is part of the IBM Java SDK April 2015 update.

Vulnerability Details

CVEID:CVE-2015-0488**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/102336for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2015-0478**
DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/102339for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID:CVE-2015-1916**
DESCRIPTION:** Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/101995for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

FileNet Content Manager 5.1.0, 5.2.0, 5.2.1
IBM Content Foundation 5.2.0, 5.2.1
FileNet Business Process Manager 4.5.1, 5.0.0, 5.2.0

Remediation/Fixes

Install IBM Java Runtime Environment (JRE) v1.6 SR16 FP4 or higher which is provided in the following releases in the table below.

Product	VRMF	APAR	Remediation/First Fix Available
FileNet Content Manager (FNCM)	5.1.0
5.2.0
5.2.1	PJ43196
PJ43196
PJ43198
PJ43199
PJ43199	5.2.0.3-P8CPE-IF007 - August 4, 2015
5.2.1.2-P8CPE-IF001 - August 4, 2015
5.1.0.0-P8CSS-IF013 - July 31, 2015
5.2.0.2-P8CSS-IF005 - August 4, 2015
5.2.1.2-P8CSS-IF001 - August 4, 2015
IBM Content Foundation (ICF)	5.2.0
5.2.1	PJ43196
PJ43196
PJ43199
PJ43199	5.2.0.3-P8CPE-IF007 - August 4, 2015
5.2.1.2-P8CPE-IF001 - August 4, 2015
5.2.0.2-P8CSS-IF005 - August 4, 2015
5.2.1.2-P8CSS-IF001 - August 4, 2015
FileNet Business Process Manager	4.5.1
5.0.0
5.2.0	PJ43194
PJ43195
PJ43197	4.5.1.4-P8PE-IF008 - August 4, 2015
5.0.0.8-P8PE-IF002 - August 4, 2015
eProcess-5.2.0-001.006 (Win, Sol, AIX, HP, HPUX only) - August 4, 2015

These releases are available on Fix Central: <http://www.ibm.com/support/fixcentral/>

Workarounds and Mitigations

None

CPENameOperatorVersion
filenet content managereq5.2.1
filenet content managereq5.2.0
filenet content managereq5.1.0
filenet content managereq5.2.1
filenet content managereq5.2.0
filenet eprocesseq5.2
filenet p8 platformeq5.2.1
filenet p8 platformeq5.2
filenet p8 platformeq5.0
filenet p8 platformeq4.5.1

Name	Operator	Version
filenet content manager	eq	5.2.1
filenet content manager	eq	5.2.0
filenet content manager	eq	5.1.0
filenet content manager	eq	5.2.1
filenet content manager	eq	5.2.0
filenet eprocess	eq	5.2
filenet p8 platform	eq	5.2.1
filenet p8 platform	eq	5.2
filenet p8 platform	eq	5.0
filenet p8 platform	eq	4.5.1