Security Bulletin: Potential Oracle Outside In Technology Vulnerabilities Exposed in ECM Products (CVE-2011-2264, CVE-2011-0794, and CVE-2011-0808)

Technote (FAQ)


Question

Oracle Outside In Technology contains exploitable vulnerabilities in the CorelDRAW (CVE-2011-2264) file parser, the File ID SDK (CVE-2011-0794), and file filters (CVE-2011-0808). Each of these vulnerabilities may allow a remote, unauthenticated user to execute arbitrary code on a vulnerable system when processing specially-crafted files using the Outside In Technology.

Answer

The three impacted file formats are identified in the table below:

ID File Format
CVE-2011-2264 CorelDRAW
CVE-2011-0794 Microsoft CAB
CVE-2011-0808 Lotus 123

VULNERABILITY DETAILS:
Details of each of these vulnerabilities are as follows:

CVE ID: CVE-2011-2264

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/68650 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE ID: CVE-2011-0808

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/66916 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE ID: CVE-2011-0794

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/66929 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


AFFECTED PLATFORMS:
Oracle Outside In Technology is leveraged by a number of ECM products for content viewing and text searching capabilities. Customers using any of the following ECM products (in alphabetic order) are potentially exposed to these vulnerabilities, provided the data to be processed are in CorelDRAW, Lotus 123, or Microsoft CAB file formats. Other versions of these products are not affected.

Product Name Version
IBM Classification Module 8.6
IBM CommonStore for Exchange 8.4
IBM CommonStore for Lotus Domino 8.4
IBM Content Analytics 2.1, 2.2
IBM Content Collector for Email 2.1.1, 2.2
IBM Content Collector for File Systems 2.1.1, 2.2
IBM Content Collector for Microsoft SharePoint 2.1.1, 2.2
IBM Content Integrator 8.5.1, 8.6
IBM Content Manager Enterprise Edition 8.4.3
IBM Document Manager 8.4.2, 8.5
IBM eDiscovery Analyzer 2.2
IBM eDiscovery Manager 2.2
IBM FileNet Capture 5.2, 5.2,1
IBM FileNet Content Manager 5.0, 5.1
IBM FileNet Integrated Document Management Desktop, Web Services and Open Client 4.0.2, 4.0.3
IBM InfoSphere Classification Module 8.7
IBM OmniFind Enterprise Edition 8.5, 9.1
IBM Production Imaging Edition 5.0
IBM WEB Interface for Content Management 1.0.1, 1.0.2, 1.0.3, 1.0.4


REMEDIATION:
The above product teams are working with the vendor to obtain Oracle Outside In updates. These updates will be delivered through the normal IBM service delivery mechanism. This flash will be refreshed as updates become available for each of the listed products

Fix:
TBD – See Above

Workaround:
None known, apply fixes.

Mitigation:
To minimize these three exposures, please avoid content viewing or text searching untrusted CorelDRAW, Lotus 123, or Microsoft CAB files using the listed products until the corresponding updates are applied.

Please see RELATED INFORMATION for additional mitigation for the IBM Content Analytics and IBM OmniFind Enterprise Edition products.


REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2011-2264
CVE-2011-0794
CVE-2011-0808

RELATED INFORMATION:
IBM Content Analytics and IBM OmniFind Enterprise Edition Flash

If you have immediate concerns about this vulnerability or require more information regarding this security bulletin, please contact IBM Support.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Cross reference information
Segment Product Component Platform Version Edition
Enterprise Content Management Content Classification 8.7, 8.6
Enterprise Content Management CommonStore for Exchange Server 8.4
Enterprise Content Management CommonStore for Lotus Domino 8.4
Enterprise Content Management Content Analytics with Enterprise Search 2.2, 2.1
Enterprise Content Management Content Collector 2.1.1, 2.2
Enterprise Content Management Content Integrator 8.6, 8.5.1
Enterprise Content Management Content Manager Enterprise Edition 8.4.3
Enterprise Content Management Document Manager 8.4.2, 8.5
Enterprise Content Management eDiscovery Analyzer 2.2.0.0
Enterprise Content Management eDiscovery Manager 2.2
Enterprise Content Management FileNet Capture 5.2, 5.2.1
Enterprise Content Management FileNet IDM Desktop/WEB Services/Open Client 4.0.2, 4.0.3
Enterprise Content Management OmniFind Enterprise Edition 9.1, 8.5
Enterprise Content Management Production Imaging Edition 5.0.0
Enterprise Content Management IBM Web Interface for Content Management 1.0.1, 1.0.2, 1.0.3, 1.0.4

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

FileNet Content Manager

Software version:

5.0, 5.1.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1574454

Modified date:

2012-12-13

Translate my page

Machine Translation

Content navigation