Security Bulletin: IBM FileNet Content Manager component FileNet Deployment Manager security vulnerability

Summary

FileNet Deployment Manager external DTD security vulnerability.

Vulnerability Details

CVEID: CVE-2018-1844 DESCRIPTION: IBM Case Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/150904&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

FileNet Content Manager 5.2.1, 5.5.0

Remediation/Fixes

To resolve these vulnerabilities, install one of the releases listed below.

5.2.1
5.5.0

| PJ45146
PJ45146 |

5.2.1.7-P8CPE-IF004 - 10/8/2018
5.5.0.0-P8CPE-IF003 - 12/18/2018

In the above table, the APAR links will provide more information about the fix.

Workarounds and Mitigations

Do not run FileNet Deployment Manager or upgrade to 5.2.1.7-P8CPE-IF004 or 5.5.0.0-P8CPE-IF003.