Security Bulletin: Vulnerabilities in IBM FileNet Content Manager due to security vulnerabilities in Oracle Java Development Kits

Security Bulletin


Summary

The following security vulnerabilities exist in the Oracle Java Development Kits shipped with IBM FileNet Content Manager 5.1.0 and 5.2.x

Vulnerability Details

CVE ID: CVE-2013-4002
DESCRIPTION:
The Apache Xerces-J XML parser is vulnerable to a denial of service attack, triggered by malformed XML data. The malformed data causes the XML parser to consume CPU resource for several minutes before the data is eventually rejected. This behaviour can be used to launch a denial of service attack against any Java server application which processes XML data supplied by remote users. The same technique can be used to consume CPU resources on client deployments of Java. The IBM Java SDK ships a variant of the Apache Xerces-J XML parser which has the same vulnerability. The vulnerability applies to all versions of the IBM Java SDK.

This issue is only exploitable if the JRE is running untrusted code (e.g. untrusted applets or Web Start applications), or if it is running an application that parses XML data from untrusted sources.

CVSS Base Score: 7.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85260 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)



CVE ID: CVE-2013-5825
DESCRIPTION:
This issue is applicable to server Java applications which process XML data from untrusted sources such as remote users. It also applies to JREs running untrusted code (e.g. untrusted applets or Web Start applications).

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)


CVE ID: CVE-2013-5372
DESCRIPTION:
The XML4J parser is vulnerable to a denial of service attack, triggered by specially crafted XML data. The DoS manifests as an OutOfMemoryError.

This issue is exploitable if the JRE is running untrusted code under a security manager (e.g. untrusted applets or Web Start applications). This issue is also applicable to server deployments of Java which process XML data from untrusted sources.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE ID: CVE-2013-5843
DESCRIPTION:
A maliciously crafted font file can lead to a double free, which in turn could allow untrusted code to disable the security manager and execute arbitrary code. In a server context, the double free would crash the JVM process, so it could be used to launch a denial of service attack. The fix corrects the font parsing code to prevent the double free.

CVSS Base Score 10
CVSS Temporal Score
See http://xforce.iss.net/xforce/xfdb/87971 for the current score
CVSS Environmental Score
Undefined
CVSS Vector
(AV/N:AC/L:Au/N:C/C:I/C:A/C)

Affected Products and Versions

IBM FileNet Content Manager 5.1.0 and 5.2.x

Remediation/Fixes

If your system uses indexing, apply the Content Search Services fix as shown below.

Fix How to acquire fix
Content Search Services 5.1 interim fix Download 5.1.0.0-P8CSS-IF007 from Fix Central.
Content Search Services 5.2 interim fix Download 5.2.0.0-P8CSS-IF003 from Fix Central.

Workarounds and Mitigations

None. Install the interim fix.

References

Related information

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

FileNet Content Manager
Content Search Services

Software version:

5.1.0, 5.2.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1660218

Modified date:

2014-01-21

Translate my page

Machine Translation

Content navigation