IBM Support

Security Bulletin: Vulnerability in Apache Batik affects IBM Cúram Social Program Management (CVE-2018-8013)

Security Bulletin


Summary

IBM Cúram Social Program Management uses the Apache Batik Library. In Apache Batik library prior to version 1.10, the class type has not being checked during the deserialization process of the subclass of `AbstractDocument`. Fix has been put in place to check the class type before instantiating during the deserialization process

Vulnerability Details

CVEID: CVE-2018-8013
DESCRIPTION: Apache Batik could allow a remote attacker to obtain sensitive information, which is caused by an error during the deserialization of the "AbstractDocument" subclass. An attacker could exploit the vulnerability to reveal files and obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/143678 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Cúram Social Program Management 7.0.2.0 - 7.0.4.0
IBM Cúram Social Program Management 7.0.0.0 - 7.0.1.0
IBM Cúram Social Program Management 6.2.0.0 - 6.2.0.6
IBM Cúram Social Program Management 6.1.0.0 - 6.1.1.6
IBM Cúram Social Program Management 6.0.5.0 - 6.0.5.10

Remediation/Fixes

Product VRMF Remediation/First Fix
Cúram SPM
7.0.4
Visit IBM Fix Central and upgrade to 7.0.4.0 or a subsequent 7.0.4 release.
Cúram SPM
7.0.1
Visit IBM Fix Central and upgrade to 7.0.1.3 or a subsequent 7.0.1 release.
Cúram SPM
6.2.0
Visit IBM Fix Central and upgrade to 6.2.0.6 iFix2 or a subsequent 6.2.0 release.
Cúram SPM
6.1.1
Visit IBM Fix Central and upgrade to 6.1.1.6 iFix2 or a subsequent 6.1.1 release.
Cúram SPM
6.0.5
Visit IBM Fix Central and upgrade to 6.0.5.10 iFix4 or a subsequent 6.0.5.10 release.

Workarounds and Mitigations

For information about all other versions, contact IBM Cúram Social Program Management customer support.

Get Notified about Future Security Bulletins

References

Off

Change History

07 December 2018: Original document published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU014","label":"Watson Health"},"Product":{"code":"SS8S5A","label":"C\u00faram Social Program Management"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0.4, 7.0.1, 6.2.0, 6.1.1, 6.0.5","Edition":"","Line of Business":{"code":"LOB47","label":"Health"}}]

Document Information

Modified date:
07 December 2018

UID

ibm10744157