IBM Cúram Social Program Management uses the Apache Batik Library. In Apache Batik library prior to version 1.10, the class type has not being checked during the deserialization process of the subclass of AbstractDocument
. Fix has been put in place to check the class type before instantiating during the deserialization process
CVEID: CVE-2018-8013 DESCRIPTION: Apache Batik could allow a remote attacker to obtain sensitive information, which is caused by an error during the deserialization of the “AbstractDocument” subclass. An attacker could exploit the vulnerability to reveal files and obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143678> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
IBM Cúram Social Program Management 7.0.2.0 - 7.0.4.0
IBM Cúram Social Program Management 7.0.0.0 - 7.0.1.0
IBM Cúram Social Program Management 6.2.0.0 - 6.2.0.6
IBM Cúram Social Program Management 6.1.0.0 - 6.1.1.6
IBM Cúram Social Program Management 6.0.5.0 - 6.0.5.10
Product | VRMF | Remediation/First Fix |
---|---|---|
Cúram SPM |
7.0.4
| Visit IBM Fix Central and upgrade to 7.0.4.0 or a subsequent 7.0.4 release.
Cúram SPM |
7.0.1
| Visit IBM Fix Central and upgrade to 7.0.1.3 or a subsequent 7.0.1 release.
Cúram SPM |
6.2.0
| Visit IBM Fix Central and upgrade to 6.2.0.6 iFix2 or a subsequent 6.2.0 release.
Cúram SPM |
6.1.1
| Visit IBM Fix Central and upgrade to 6.1.1.6 iFix2 or a subsequent 6.1.1 release.
Cúram SPM |
6.0.5
| Visit IBM Fix Central and upgrade to 6.0.5.10 iFix4 or a subsequent 6.0.5.10 release.
For information about all other versions, contact IBM Cúram Social Program Management customer support.