A security vulnerability with the IBM FileNet P8 Content Engine and Content Search Engine has been discovered. An attacker who successfully exploited this vulnerability could gain the same user rights as the user credentials used to install and configure the CSE or the user credentials used to bootstrap the CE. Environments that have followed the documented best practices guidelines and where account privileges are closely managed could experience less impact than environments where user accounts are given administrative or unnecessarily broad permissions.
Resolving the problem
This vulnerability affects the following IBM FileNet P8 Content Manager (CM) and IBM FileNet P8 Business Process Manager (BPM) product components:
P8CE 4.5.1 at the GA base level, Fix Pack 1 level or Fix Pack 2 level
P8CSE 4.5.1 at the GA base level
P8CSE 4.5.0 at the GA base level or Fix Pack 2 level
P8CE 4.5.1 Fix Pack 3 (or higher) and P8CSE 4.5.1 Fix Pack 1 address the vulnerability and are mandatory updates for all IBM FileNet CM 4.5.1 and IBM FileNet BPM 4.5.1 environments.
P8CSE 4.5.0 Fix Pack 3 addresses the vulnerability and is a mandatory update for all IBM FileNet CM 4.5.0, IBM FileNet BPM 4.5.0, IBM FileNet CM 4.0.x and IBM FileNet BPM 4.0.x environments that have IBM FileNet P8 Content Search Engine 4.5.0 or higher installed and configured.
The Fix Packs are available on Fix Central starting June 28, 2010. Please follow the standard procedure to download the mandatory Fix Packs required for your environment.
Please note that P8CE 4.5.1 Fix Pack 1, Fix Pack 2, P8CSE 4.5.0 Fix Pack 1, and Fix Pack 2 are no longer available at Fix Central as they are no longer supported. Please be aware that P8CE 4.5.1 Fix Pack 4 is required if you are upgrading from P8CE 3.5.x. Please see this Flash Alert for more details:
Fix Central can be found at: http://www-933.ibm.com/support/fixcentral/
For additional support questions, please contact the IBM Response Center at 1-800-IBM-SERV.