Security Bulletin: IBM FileNet Content Manager and Case Foundation security vulnerability in Administration Console for Content Platform Engine (ACCE)

Created by Mark Keithly on Mon, 09/16/2019 - 11:38

Published URL:

https://www.ibm.com/support/pages/node/1073876

1073876

Security Bulletin

Summary

IBM FileNet Content Manager and Case Foundation have multiple security vulnerabilities in Administration Console for Content Platform Engine (ACCE).

Vulnerability Details

CVEID: CVE-2019-4642
DESCRIPTION: IBM FileNet Content Manager allows web pages to be stored locally which can be read by another user on the system.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170878 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-4659
DESCRIPTION: IBM FileNet Content Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170970 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2019-4661
DESCRIPTION: IBM FileNet Content Manager and Case Foundation Content could allow an attacker to obtain sensitive information through content sniffing.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171166 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2019-4662
DESCRIPTION: IBM FileNet Content Manager and Case Foundation Content does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171167 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Affected Products and Versions

FileNet Content Manager and Case Foundation 5.5.2, 5.5.3.

Remediation/Fixes

To resolve these vulnerabilities, install one of the patch sets listed below.

Product	VRMF	APAR	Remediation/First Fix
FileNet Content Manager	5.5.2 5.5.3	PJ45908 PJ45908 PJ45908 PJ45908	5.5.2.0-P8CPE-IF004 - 1/30/2020 5.5.2.0-P8CPE-Container-IF004 - 1/30/2020 5.5.3.0-P8CPE-IF002 - 2/13/2020 5.5.3.0-P8CPE-Container-IF002 - 2/13/2020

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Change History

Initial Release: February 13, 2020
Added Container Releases: February 14, 2020

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Component":"Content Platform Engine","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF033","label":"Windows"}],"Version":"5.5.2;5.5.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSCTJ4","label":"IBM Case Manager"},"Component":"Content Platform Engine","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF033","label":"Windows"}],"Version":"5.5.2;5.5.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

Security Bulletin: IBM FileNet Content Manager and Case Foundation security vulnerability in Administration Console for Content Platform Engine (ACCE)

Security Bulletin

Summary

Vulnerability Details

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

Get Notified about Future Security Bulletins

References

Change History

Disclaimer

Document Location

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?

Tips

Security Bulletin: IBM FileNet Content Manager and Case Foundation security vulnerability in Administration Console for Content Platform Engine (ACCE)

Security Bulletin

Summary

Vulnerability Details

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

Get Notified about Future Security Bulletins

References

Related Information

Change History

Disclaimer

Document Location

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?