IBM Cúram Social Program Management uses the Apache Batik Library. In Apache Batik library prior to version 1.10, the class type has not being checked during the deserialization process of the subclass of `AbstractDocument`. Fix has been put in place to check the class type before instantiating during the deserialization process
DESCRIPTION: Apache Batik could allow a remote attacker to obtain sensitive information, which is caused by an error during the deserialization of the "AbstractDocument" subclass. An attacker could exploit the vulnerability to reveal files and obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/143678 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
IBM Cúram Social Program Management 220.127.116.11 - 18.104.22.168
IBM Cúram Social Program Management 22.214.171.124 - 126.96.36.199
IBM Cúram Social Program Management 188.8.131.52 - 184.108.40.206
IBM Cúram Social Program Management 220.127.116.11 - 18.104.22.168
IBM Cúram Social Program Management 22.214.171.124 - 126.96.36.199
|Visit IBM Fix Central and upgrade to 188.8.131.52 or a subsequent 7.0.4 release.|
|Visit IBM Fix Central and upgrade to 184.108.40.206 or a subsequent 7.0.1 release.|
|Visit IBM Fix Central and upgrade to 220.127.116.11 iFix2 or a subsequent 6.2.0 release.|
|Visit IBM Fix Central and upgrade to 18.104.22.168 iFix2 or a subsequent 6.1.1 release.|
|Visit IBM Fix Central and upgrade to 22.214.171.124 iFix4 or a subsequent 126.96.36.199 release.|
Workarounds and Mitigations
For information about all other versions, contact IBM Cúram Social Program Management customer support.
Get Notified about Future Security Bulletins
07 December 2018: Original document published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
07 December 2018