Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3072.2 Security Bulletin: IBM FileNet Content Manager affected by multiple security vulnerabilities 17 January 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM FileNet Content Manager Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-18224 CVE-2018-18223 CVE-2018-8036 CVE-2018-3302 CVE-2018-3234 CVE-2018-3233 CVE-2018-3232 CVE-2018-3231 CVE-2018-3230 CVE-2018-3229 CVE-2018-3228 CVE-2018-3227 CVE-2018-3226 CVE-2018-3225 CVE-2018-3224 CVE-2018-3223 CVE-2018-3222 CVE-2018-3221 CVE-2018-3220 CVE-2018-3219 CVE-2018-3218 CVE-2018-3217 CVE-2018-3147 CVE-2012-5783 Reference: ESB-2018.3960 ESB-2018.3072 ESB-2018.2891 ESB-2018.2484 ESB-2018.2465 ESB-2018.2119 ESB-2018.2117 ESB-2018.2085 ESB-2018.2070 ESB-2018.2043 ESB-2018.1983 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10731533 http://www.ibm.com/support/docview.wss?uid=ibm10736035 http://www.ibm.com/support/docview.wss?uid=ibm10716315 Comment: This bulletin contains three (3) advisories. Revision History: January 17 2019: Updated to include latest advisories October 11 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM FileNet Content Manager affected by Apache HttpClient security vulnerability Document information Software version: 5.2.1 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 0731533 Modified date: 09 October 2018 Summary Security vulnerability may affect Apache HttpClient used by IBM FileNet Content Manager. Vulnerability Details CVEID: CVE-2012-5783 DESCRIPTION: Apache Commons HttpClient could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 79984 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) Remediation/Fixes To resolve these vulnerabilities, install one of the releases below. +--------------------------------+---------+------------+--------------------------------------------+ |Product |VRMF |APAR |Remediation/First Fix | +--------------------------------+---------+------------+--------------------------------------------+ |FileNet Content Manager |5.2.1 |PJ45429 |5.2.1.7-P8CPE-IF004 - 10/8/2018 | +--------------------------------+---------+------------+--------------------------------------------+ In the above table, the APAR links will provide more information about the fix. Workarounds and Mitigations None Change History 8 October, 2018 - initial release *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: IBM FileNet Content Manager affected by Apache HttpClient security vulnerability Document information Software version: 5.2.1 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 0731533 Modified date: 09 October 2018 Summary Security vulnerability may affect Apache HttpClient used by IBM FileNet Content Manager. Vulnerability Details CVEID: CVE-2012-5783 DESCRIPTION: Apache Commons HttpClient could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 79984 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) Remediation/Fixes To resolve these vulnerabilities, install one of the releases below. +--------------------------------+---------+------------+--------------------------------------------+ |Product |VRMF |APAR |Remediation/First Fix | +--------------------------------+---------+------------+--------------------------------------------+ |FileNet Content Manager |5.2.1 |PJ45429 |5.2.1.7-P8CPE-IF004 - 10/8/2018 | +--------------------------------+---------+------------+--------------------------------------------+ In the above table, the APAR links will provide more information about the fix. Workarounds and Mitigations None Change History 8 October, 2018 - initial release *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: IBM FileNet Content Manager affected by Apache PDFBox Component: Content Platform Engine, Content Search Services Software version: 5.2.1, 5.5.0, 5.5.1 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 0716315 Summary IBM FileNet Content Manager has addressed the following security vulnerability. Apache PDFBox is vulnerable to a denial of service, caused by an out of memory exception in AFMParser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. For more information please refer to the X-Force database entries referenced below. Vulnerability Details CVEID: CVE-2018-8036 DESCRIPTION: Apache PDFBox is vulnerable to a denial of service, caused by an out of memory exception in AFMParser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 145592 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) Affected Products and Versions IBM FileNet Content Manager 5.2.1, 5.5.0, 5.5.1 Remediation/Fixes To address this vulnerability install one of the fixes listed below to upgrade to Apache PDFBox 1.8.15 or higher. +-----------------------------------+-------+----------+---------------------------------+ |Product |VRMF |APAR |Remediation/First Fix | +-----------------------------------+-------+----------+---------------------------------+ |FileNet Content Manager |5.2.1 |PJ45440 |5.2.1.7-P8CPE-IF004 - 10/8/2018 | | | |PJ45441 |5.2.1.7-P8CSS-IF004 - 10/8/2018 | | |5.5.0 |PJ45440 |5.5.0.0-P8CPE-IF003 - 12/18/2018 | | | |PJ45441 |5.5.0.0-P8CSS-IF003 - 12/18/2018 | | |5.5.1 |PJ45440 |5.5.1.0-P8CPE-IF001 - 8/24/2018 | | | |PJ45441 |5.5.1.0-P8CSS-IF002 - 1/15/2019 | +-----------------------------------+-------+----------+---------------------------------+ In the above table, the APAR links will provide more information about the fix Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Important Note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 8 October, 2018: Original Version Published 16 January, 2019: Added 5.5.0 and 5.5.1.0-P8CSS-IF002 releases *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Document information Modified date: 16 January 2019 - -------------------------------------------------------------------------------- Security Bulletin: IBM FileNet Content Manager affected by Apache HttpClient Component: Content Platform Engine Software version: 5.2.1, 5.5.0, 5.5.1 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 0731533 Summary Security vulnerability may affect Apache HttpClient used by IBM FileNet Content Manager. Vulnerability Details CVEID: CVE-2012-5783 DESCRIPTION: Apache Commons HttpClient could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 79984 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) Affected Products and Versions IBM Content Manager 5.2.1, 5.5.0, 5.5.1 Remediation/Fixes To resolve these vulnerabilities, install one of the releases below. +--------------------------------+---------+------------+------------------------------- + |Product |VRMF |APAR |Remediation/First Fix | +--------------------------------+---------+------------+------------------------------- + |FileNet Content Manager |5.2.1 |PJ45429 |5.2.1.7-P8CPE-IF004 - 10/8/2018 | | |5.5.0 |PJ45429 |5.5.0.0-P8CPE-IF003 - 12/14/2018| | |5.5.1 |PJ45429 |5.5.1.0-P8CPE-IF002 - 1/15/2019 | +--------------------------------+---------+------------+--------------------------------+ +--------------------------------+---------+------------+--------------------------------+ In the above table, the APAR links will provide more information about the fix. Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 8 October, 2018 - initial release 15 January, 2019 - Added 5.5.0 and 5.5.1 releases *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Document information Modified date: 16 January 2019 - -------------------------------------------------------------------------------- Security Bulletin: Publicly disclosed vulnerability in Oracle Outside In Technology used by IBM FileNet Content Manager Component: Content Platform Engine, Content Search Services Software version: 5.2.1, 5.5.0, 5.5.1, 5.5.2 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 0736035 Summary Multiple vulnerabilities may affect Oracle Outside In Technology (OIT) Version 8.5.3 used by IBM FileNet Content Manager. Oracle OIT issues disclosed in the Oracle October 2018 Critical Patch Update. Vulnerability Details CVEID: CVE-2018-18224 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters (ODA Module) component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151427 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3227 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151542 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3226 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151541 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3218 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause high confidentiality impact, low integrity impact, and no availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151533 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) CVEID: CVE-2018-3229 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151544 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3217 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause high confidentiality impact, low integrity impact, and no availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151532 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) CVEID: CVE-2018-3228 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151543 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3219 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause high confidentiality impact, no integrity impact, and low availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151534 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L) CVEID: CVE-2018-3230 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151545 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3232 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151547 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3221 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151536 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3231 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151546 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3220 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause high confidentiality impact, no integrity impact, and low availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151535 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L) CVEID: CVE-2018-3223 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151538 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3234 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151549 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3233 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151548 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3222 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151537 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3225 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151540 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3302 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151614 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3224 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151539 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) CVEID: CVE-2018-3147 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151463 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CVEID: CVE-2018-18223 DESCRIPTION: An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters (ODA Module) component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151426 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) Affected Products and Versions FileNet Content Manager 5.2.1, 5.5.0, 5.5.1, 5.5.2 Remediation/Fixes To resolve these vulnerabilities, install one of the patch sets listed below to upgrade Oracle Outside In Technology (OIT) to the July 2018 v8.5.3 patch 28760615 release. +-------------------------------------+----------+--------------+----------------------------------------------------+ |Product |VRMF |APAR |Remediation/First Fix | +-------------------------------------+----------+--------------+----------------------------------------------------+ |FileNet Content Manager |5.2.1 |PJ45551 |5.2.1.7-P8CPE-ALL-LA015 - 1/18/2019 | | |5.5.0 |PJ45552 |5.2.1.7-P8CSS-ALL-LA004 - 1/18/2019 | | |5.5.1 |PJ45551 |5.5.0.0-P8CPE-ALL-LA004 - 1/18/2019 | | |5.5.2 |PJ45552 |5.5.0.0-P8CSS-ALL-LA002 - 1/18/2019 | | | |PJ45551 |5.5.1.0-P8CPE-IF002 - 1/15/2019 | | | | |5.5.1.0-P8CSS-IF002 - 1/15/2019 | | | |PJ45552 |5.5.2.0-P8CPE-ALL-LA003 - 1/18/2019 | | | |PJ45551 |5.5.2.0-P8CSS-ALL-LA001 - 1/18/2019 | | | |PJ45552 | | +-------------------------------------+----------+--------------+----------------------------------------------------+ In the above table, the APAR links will provide more information about the fix. Contact IBM support for access to the Limited Availability (LA) fixes. Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 16 January, 2019 - Initial release *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Document information Modified date: 16 January 2019 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXEAM2GaOgq3Tt24GAQjEsxAAjYWvyeX+UFoWgW0ZYVPJifZzeQk3Z/M8 R+k285ckN2GI1ftFbFUPxFH+3p8Z/ElCfC8fpZ6qSl8odMldO9DCcNzCm9I8vxSx HDvm4Hn4KvJEgo+skdZQTd9AXYsbmciZp85g83QzbhTn3MXSt23ZRQhQApwOb0Hn Q4wCMiObx/ukflItSwG9hAhQBV7hH6itWohA9liANzsXoesdwx4j75VHVLK8iCAU QaF9Ugd4mi7SIPUydD4/QGHJaCpoNd7bpUcQr0/r3uv1McpQtT67BUORr838tI31 xrHuLv8jwRDC0A+uyFFD/Cdk89puCClOn+utuCLtgsBSxw1rN4AHYU0XIcMW2BM9 BsolxPDLkj3RjuKeAejHF2s6lXm+387GwU488wYIdiNJ1p2mp4ibRPafmfenmVhw Kc232qPGkRI/fAMOPM0PaAJq1tCSfUZVugutZIJQcUEEyzAOICn5FqRaQ/IfqFdZ cUE7m+/oiuYfZQa/Ts3TD0+tucmw/7F+8SCSRztgSRykGECKISaP0Ot3ehND/178 WNqjgoT4yNhQ4L5Z8zDgwWQ7O1XRkJ+KkqX+rv6z81IU0Q19RfE6Go4eCi8A7y/O 3Wa8YzKPGIJL1dX5EmU6jVqBT/0XVhPgQiRB0JCMSe6E3sXA7Q6wFzxrTB/CK+tJ WYh900q8Rok= =ulX7 -----END PGP SIGNATURE-----