Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1903
Security Bulletin: Multiple vulnerabilities affect FileNet products
5 August 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM FileNet Workplace
IBM FiletNet Integration for Microsoft Office
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Increased Privileges -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-3054 CVE-2016-2542
Reference: ESB-2016.0998
ESB-2016.0806
ESB-2016.0805
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21987129
http://www.ibm.com/support/docview.wss?uid=swg21981500
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: FileNet Workplace can be affected by the File Upload XSS
vulnerability (CVE-2016-3054)
Security Bulletin
Document information
More support for:
FileNet Content Manager
Application Engine
Software version:
4.0.2
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Reference #:
1987129
Modified date:
2016-08-04
Summary
FileNet Workplace is susceptible to the File Upload XSS vulnerability
Vulnerability Details
Relevant CVE Information:
CVEID:
CVE-2016-3054
DESCRIPTION:
IBM FileNet Workplace is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/114753
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
FileNet Workplace 4.0.2
Remediation/Fixes
Refer to the Workarounds and Mitigations section.
Workarounds and Mitigations
There are 2 different implementations that can be used to address this
vulnerability. You may chose to implement only one or to use both.
1) Check and remove malicious content before it gets added in to the P8
repository.
2) Check when malicious content is being viewed and not allow it to be
executed.
The following are some suggestions on the various ways to prevent malicious
files from being either uploaded and/or executed. These methods have not been
implemented or tested by IBM. They are just examples. For detailed
implementation plans, please consult IBM ECM Lab Services or an IBM ECM
Business Partner.
To avoid malicious content being entered in to the P8 repository:
(1) Create a custom event action that's triggered on an AddDocument event
that checks either the file type being added or calls a file scanner to
validate the contents before the content is added.
(2) Configure a file scanner to scan the storage volume where content is
being saved and have it send an alert when it finds malicious content.
To prevent content that contains JavaScript code from being executed when it
is viewed by AE:
(1) Force JavaScript files to be viewed as text. An AE response filter could
be implemented to change the MIME Type from JavaScript to Text.
(2) Configure your browser to not execute JavaScript files.
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
This vulnerability was reported to IBM by Roshan Thomas at secvibe.com
Change History
22 July 2016: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: Vulnerability in Flexera InstallShield affects FileNet
Integration for Microsoft Office (CVE-2016-2542)
Security Bulletin
Document information
More support for:
FileNet Content Manager
Integration for Microsoft Office
Software version:
1.1.5
Operating system(s):
Windows
Reference #:
1981500
Modified date:
2016-08-04
Summary
InstallShield generates installation executable files which are vulnerable to
a DLL-planting vulnerability.
Vulnerability Details
CVEID:
CVE-2016-2542
DESCRIPTION:
Flexera InstallShield could allow a local attacker to gain elevated
privileges on the system, caused by an untrusted search path. An attacker
could exploit this vulnerability using a Trojan horse DLL in the current
working directory of a setup-launcher executable file to gain elevated
privileges on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110914
for the current score
CVSS Environmental Score*:
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
FileNet Integration for Microsoft Office 1.1.5
Remediation/Fixes
Please follow the steps in the 'Workarounds and Migrations' section.
Workarounds and Mitigations
To avoid the untrusted search path vulnerability where users could gain
increased privileges, perform the following additional steps prior to
installation:
1. Clear all contents (files, sub-directories and etc.,) of your default
download directory/location, if any.
2. Create a new secure directory in temporary location (such that elevated
privileges are required to access this directory).
3. Copy/extract the setup.exe executable (generated by InstallShield) to the
secure directory created in Step 2.
4. Launch the executable from the secure directory and wait until it completes.
Important
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
Change History
17 April 2016 - Original version published
11 July 2016 - Updated CVE Information
01 August 2016 - Updated product list
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV6P0jox+lLeg9Ub1AQiCWQ//ceVLwSV1gCP7c1eZbcV/ZoGGPmx14nka
RNBNPH7XC/INu049hM+GCQLZU5GaG6fXybk5B68MZsbVUpI/Xcwuqypu0gGtRG+U
3uAGM7irx6VtpKGrNz8sMs/cy+mEK/OLzOMvwTLnZ0pDa3bWej6WYQl2H8iiNI7G
Z5c4tb1b0AVIiVlKXVbhFPJXB3r7+tXAc8Kb/jyx9wlhYgMqTvGnthOWmaO6F9Bs
JotsrAdcpoRCQYWkA6V1uTZyYb+lF2obC9O+W1vq3pkTqz88BeGbjPpCFRaqxty6
IG4MhXyd+GmUVZNQb4+CL9n0IB537tPLKBBozOF528VTrUh9lRMin5jgJc973dzm
zrdZ6qoOEY84wZPgPIjlV9vfPtUPSbBZyiffecXcGirW3u/NlTTSAwMkpqROLNX/
UiWUlfSRypc0Y+7O2a+XA5skmYRcoCFypeKaJosjMxJyLH0DvnZ3D7yC0Rq5L9s+
uXlYPiHmvL0VUgatQH/upiOHWbczzLR4ohaJTFF+ij1ogVP2Mf1qD1tcQ0luwg87
H9LPMbMRU3jS4DlJAp7iLLf1m5uSHX1tBlZ4qAZ3Qt7LrWE2Up/BXobQFWP1DevZ
FC7I2rQGMLBKjBoe7bYp+qycBPg1pmfqAeRHOR9SUxMO2BkhSR9iBQQBIaQdJkcV
wFx3iruOg0M=
=Pbje
-----END PGP SIGNATURE-----