IBM Cúram Social Program Management uses the Apache Log4j libraries, for which there is a publicly known vulnerability. For this vulnerability, Apache Log4j is vulnerable to a man-in-the-middle attack, caused by improper certificate validation with host mismatch in the SMTP appender.
CVEID:CVE-2020-9488
**DESCRIPTION:**Apache Log4j is vulnerable to a man-in-the-middle attack, caused by improper certificate validation with host mismatch in the SMTP appender. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180824 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
Curam SPM | 8.0.0 |
Curam SPM | 7.0.11 |
Product | VRMF | Remediation/First Fix |
---|---|---|
Cúram SPM |
8.0.1
| Visit IBM Fix Central and upgrade to 8.0.1 or a subsequent 8.0.1 release.
Cúram SPM|
7.0.11
| Visit IBM Fix Central and upgrade to 7.0.11_iFix6 or a subsequent 7.0.11 release.
For information about all other versions, contact IBM Cúram Social Program Management customer support.