IBM Support

Security Bulletin: Apache Lucene PRISMA-2021-0081 X-Force 216835 security vulnerability

Security Bulletin


Summary

Apache Lucene PRISMA-2021-0081 X-Force 216835 security vulnerability in FileNet Content Manager (FNCM) Content Search Services (CSS)/Enterprise Content Management Text Search (ECMTS). CSS/ECMTS is affected and is potentially vulnerable.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s)Version(s)
FileNet Content Manager5.6.0.0 and future releases
FileNet Content Manager5.5.8.0
FileNet Content Manager5.5.12.0
IBM Enterprise Content Management Text Search5.6.0.0 and future releases
IBM Enterprise Content Management Text Search5.5.8.0
IBM Enterprise Content Management Text Search5.5.12.0
CP4BA - FileNet Content Manager Component24.0.0 and future releases
CP4BA - FileNet Content Manager Component21.0.3

Remediation/Fixes

No FileNet Content Manager (FNCM) component Content Search Services (CSS) / Enterprise Content Management Text Search (ECMTS) fix release is available.

CSS/ECMTS is affected by Apache Lucene PRISMA-2021-0081 X-Force 216835, but NOT vulnerable to these security vulnerabilities.

For customers concerned about this, the replacement for CSS/ECMTS is changing to Elastic Search or Open Search.


CVEID:   PRISMA-2021-0081
DESCRIPTION:   Apache Lucene is vulnerable to a denial of service. By sending a specific regular expression query, a remote attacker could exploit this vulnerability to consume all available CPU resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: PRISMA-2021-0081 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) 


There are no current plans to upgrade Apache Lucene in CSS/ECMTS, since upgrading would require re-indexing all documents.

  • FileNet Content Manager (FNCM) provides a content based search capability for documents, through Content Search Services (CSS).
  • CSS uses ECMTS for document indexing and search.
  • ECMTS utilizes Open Source components, including Apache UIMA and Apache Lucene.
  • Vulnerabilities have been identified in both Open Source components.
  • ECMTS is affected (uses the component), but not vulnerable (does not use the affected function within the component).
  • FileNet Development has determined that moving up to this version of Apache Lucene that fixes these vulnerabilities would take significant effort, due to substantial changes in the API, which would effectively require rewriting a large amounts of the ECMTS code.  Due to a change in the Lucene index format, all documents previously indexed would need to be reindexed.  Depending on the number of documents indexed, this could take a substantial amount of time.

 

Workarounds and Mitigations

Mitigation options:
1) Disable content indexing and stop using Content Search Service (CSS) / Enterprise Content Management Text Search (ECMTS).
2) Switch from using Content Search Service (CSS) / Enterprise Content Management Text Search (ECMTS) to ElasticSearch or OpenSearch.  This will require reindexing of documents.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

X-Force link:  https://exchange.xforce.ibmcloud.com/vulnerabilities/216835

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

17 Dec 2024: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSNVNV","label":"IBM FileNet Content Manager"},"Component":"Content Search Services, Content Search Services Container","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF033","label":"Windows"}],"Version":"5.5.8; 5.5.12; 5.6.0","Edition":"","Line of Business":{"code":"LOB76","label":"Data Platform"}}]

Document Information

Modified date:
12 February 2026

Initial Publish date:
17 December 2024

UID

ibm17179263

Page Feedback