IBM Support

Security Bulletin: Potential Oracle Outside In Technology Vulnerabilities Exposed in ECM Products (CVE-2011-2264, CVE-2011-0794, and CVE-2011-0808)

Question & Answer


Question

Oracle Outside In Technology contains exploitable vulnerabilities in the CorelDRAW (CVE-2011-2264) file parser, the File ID SDK (CVE-2011-0794), and file filters (CVE-2011-0808). Each of these vulnerabilities may allow a remote, unauthenticated user to execute arbitrary code on a vulnerable system when processing specially-crafted files using the Outside In Technology.

Answer

The three impacted file formats are identified in the table below:

IDFile Format
CVE-2011-2264CorelDRAW
CVE-2011-0794Microsoft CAB
CVE-2011-0808Lotus 123

VULNERABILITY DETAILS:
Details of each of these vulnerabilities are as follows:

CVE ID: CVE-2011-2264

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/68650 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE ID: CVE-2011-0808

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/66916 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE ID: CVE-2011-0794

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/66929 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


AFFECTED PLATFORMS:
Oracle Outside In Technology is leveraged by a number of ECM products for content viewing and text searching capabilities. Customers using any of the following ECM products (in alphabetic order) are potentially exposed to these vulnerabilities, provided the data to be processed are in CorelDRAW, Lotus 123, or Microsoft CAB file formats. Other versions of these products are not affected.

Product NameVersionRemediation / Fix Links
IBM Classification Module8.6Recommend upgrade to IBM InfoSphere Classification Module V8.7 or IBM Content Classification V8.8 
IBM CommonStore for Exchange 8.4Download & apply latest fixpack for Content Manager 8.4  from www.ibm.com/support/fixcentral

Note: CommonStore does not support Content Manager V8.5
IBM CommonStore for Lotus Domino 8.4Download & apply latest fixpack for Content Manager 8.4  from www.ibm.com/support/fixcentral

Note: CommonStore does not support Content Manager V8.5
IBM Content Analytics 2.1, 2.2IBM Content Analytics V2.2:  Download & apply latest fixpack for this release from www.ibm.com/support/fixcentral

IBM Content Analytics V2.1: Follow the recommendation listed in this [https://www-304.ibm.com/support/docview.wss?uid=swg21512725] technote
IBM Content Collector for Email 2.1.1, 2.2V2.2:  Download & apply latest fixpack for this release from www.ibm.com/support/fixcentral

V2.1.1: Please contact IBM Support
IBM Content Collector for File Systems 2.1.1, 2.2V2.2:  Download & apply latest fixpack for this release from www.ibm.com/support/fixcentral

V2.1.1: Please contact IBM Support
IBM Content Collector for Microsoft SharePoint 2.1.1, 2.2V2.2:  Download & apply latest fixpack for this release from www.ibm.com/support/fixcentral

V2.1.1: Please contact IBM Support
IBM Content Integrator 8.5.1, 8.6Download & apply latest fixpack for this release from www.ibm.com/support/fixcentral
IBM Content Manager Enterprise Edition 8.4.3Download & apply latest fixpack for this release from www.ibm.com/support/fixcentral
IBM Document Manager 8.4.2, 8.5Download & apply latest fixpack for this release from www.ibm.com/support/fixcentral
IBM eDiscovery Analyzer 2.2Download & apply latest fixapack eDiscovery Analyzer V2.2 Fix Pack 3 or Later from www.ibm.com/support/fixcentral
IBM eDiscovery Manager 2.2Recommend upgrade to eDiscovery Manager V2.2.1 (+ Fix pack 1) or eDiscovery Manager V2.2.2. 
IBM FileNet Capture 5.2, 5.2,1Download & apply latest fixpack for this release from www.ibm.com/support/fixcentral
IBM FileNet Content Manager 5.0, 5.1Download & apply latest fixpack for this release from www.ibm.com/support/fixcentral
IBM FileNet Integrated Document Management Desktop, Web Services and Open Client 4.0.2, 4.0.3Download & apply latest fixpack for this release from www.ibm.com/support/fixcentral
IBM InfoSphere Classification Module 8.7Download & apply latest fixpack for this release from www.ibm.com/support/fixcentral
IBM OmniFind Enterprise Edition 8.5, 9.1OmniFind Enterprise Edition V9.1:  Download & apply latest fixpack for this release from www.ibm.com/support/fixcentral

OmniFind Enterprise Edition V8.5: Follow the recommendation listed in this [https://www-304.ibm.com/support/docview.wss?uid=swg21512725] technote
IBM Production Imaging Edition 5.0Download & apply latest fixpack for bundled version of IBM Workplace XT and IBM Content Navigator
IBM WEB Interface for Content Management1.0.1, 1.0.2, 1.0.3, 1.0.4Recommend upgrade to WEB Interface for Content Management V1.0.4 Fix Pack 5.  This fixpack is available to download from www.ibm.com/support/fixcentral


REMEDIATION:
Apply the appropriate fixes highlighted in the table above.

Workaround:
None known, apply fixes.

Mitigation:
To minimize these three exposures, please avoid content viewing or text searching untrusted CorelDRAW, Lotus 123, or Microsoft CAB files using the listed products until the corresponding updates are applied.

Please see RELATED INFORMATION for additional mitigation for the IBM Content Analytics and IBM OmniFind Enterprise Edition products.


REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2011-2264
CVE-2011-0794
CVE-2011-0808

RELATED INFORMATION:
IBM Content Analytics and IBM OmniFind Enterprise Edition Flash

If you have immediate concerns about this vulnerability or require more information regarding this security bulletin, please contact IBM Support.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.0;5.1.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSBRAM","label":"IBM Content Classification"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"8.7;8.6","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SS6QHP","label":"CommonStore for Exchange Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"8.4","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SS6QFT","label":"CommonStore for Lotus Domino"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"8.4","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"HWQQQ","label":"PRODUCT NOT FOUND"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"2.2;2.1","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSAE9L","label":"Content Collector"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"2.1.1;2.2","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSWLLY","label":"Content Integrator"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"8.6;8.5.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSAHQR","label":"IBM Z System Automation"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"8.4.3","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Product":{"code":"SSDSNY","label":"Document Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"8.4.2;8.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSJKLP","label":"eDiscovery Analyzer"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"2.2.0.0","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SS8JHU","label":"eDiscovery Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"2.2","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSNVMX","label":"FileNet Capture"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"5.2;5.2.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SS5USE","label":"FileNet IDM Desktop\/WEB Services\/Open Client"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"4.0.2;4.0.3","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SS5SQ7","label":"OmniFind Enterprise Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"9.1;8.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSDQA7","label":"Production Imaging Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"5.0.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SS7UUE","label":"IBM Web Interface for Content Management"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"1.0.1;1.0.2;1.0.3;1.0.4","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
17 June 2018

UID

swg21574454