Lucene search

K
ibmIBMFDA15F1EB6328218F8063DD7CE6F8209750D071B9A7DCFF2875F6E5B8D26DA73
HistoryJul 01, 2022 - 5:54 p.m.

Security Bulletin: junrar Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS)

2022-07-0117:54:00
www.ibm.com
6

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

23.9%

Summary

junrar Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS). Junrar before v1.0.1 is affected by a denial of service vulnerability due to an infinite loop when handling corrupt RAR files.

Vulnerability Details

CVEID:CVE-2018-12418
**DESCRIPTION:**Junrar is vulnerable to a denial of service, caused by an error in the Archive.java. By persuading a victim to open a specially-crafted RAR file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/144838 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Enterprise Content Management Text Search 5.5.4.0
IBM Enterprise Content Management Text Search 5.5.7.0
IBM Enterprise Content Management Text Search 5.5.8.0

Remediation/Fixes

To resolve these vulnerabilities, install one of the patch sets listed below to upgrade junrar.

Product VRMF APAR Remediation/First Fix
FileNet Content Manager

5.5.4

5.5.7
5.5.8

| PJ46717
PJ46717
PJ46717

| 5.5.4.0-P8CSS-IF008 - 5/24/2022
5.5.7.0-P8CSS-IF003 - 6/29/2022
5.5.8.0-P8CSS-IF001 - 3/22/2022

In the above table, the APAR links will provide more information about the fix.

Workarounds and Mitigations

Disable indexing of RAR files.

Affected configurations

Vulners
Node
ibmfilenet_content_managerMatch5.5.4
OR
ibmfilenet_content_managerMatch5.5.7
OR
ibmfilenet_content_managerMatch5.5.8

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

23.9%

Related for FDA15F1EB6328218F8063DD7CE6F8209750D071B9A7DCFF2875F6E5B8D26DA73