Security Bulletin: Vulnerability in InstallShield affects Content Manager OnDemand for Multiplatforms V9.5 - Windows Client (CVE-2016-2542)

Summary

The Windows Client for IBM Content Manager OnDemand for Multiplatform V9.5 has a vulnerability caused by InstallShield.

Vulnerability Details

CVEID: CVE-2016-2542**
DESCRIPTION:** Flexera InstallShield could allow a local attacker to gain elevated privileges on the system, caused by an untrusted search path. An attacker could exploit this vulnerability using a Trojan horse DLL in the current working directory of a setup-launcher executable file to gain elevated privileges on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110914 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Content Manager OnDemand for Multiplatforms V9.5

Remediation/Fixes

_Product _

| VRMF| APAR| Remediation/First Fix
—|—|—|—
IBM Content Manager OnDemand for Mutliplatforms| 9.5| N/A| Fix is provided in V9.5.0.5 on Fix Central

Workarounds and Mitigations

Install the fix pack by running the installation wizard or by running a silent installation:
To avoid an untrusted search path vulnerability where users could gain increased privileges, perform the following additional steps:

1. Clear all contents (files, sub-directories and etc.,) of your default download directory/location, if any.
2. Create a new secure directory in temporary location (such that elevated privileges are required to access this directory).
3. Copy/extract the setup.exe executable to the secure directory created in Step 2.
4. Launch the executable from the secure directory and wait until it completes. Important: Do not enter line breaks in the command that you enter to start the installation program.