A BeanShell vulnerability for handling Java object deserialization was addressed by IBM Emptoris Strategic Supply Management Platform, IBM Contract Management and IBM Program Management products.
CVEID: CVE-2016-2510**
DESCRIPTION:** BeanShell could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data using Java serialization or XStream. An attacker could exploit this vulnerability deserialize data and execute arbitrary code on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111295 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
IBM Emptoris Contract Management 9.5 through 10.1
IBM Emptoris Program Management 10.0.0 through 10.1
IBM Emptoris Strategic Supply Management 10.0.0 through 10.1
The remediation to this issue involves applying the fixes for the affected IBM Emptoris products indicated below as soon as practical.
Versions affected | Remediation iFix or Fix Pack |
---|---|
9.5.x | Apply Interim fix -> IBM Emptoris BeanShell iFix |
10.0.0.x | Apply Interim fix -> IBM Emptoris BeanShell iFix |
OR | |
Apply the following iFixes |
Product | Version | Fix Link/Available On or Before |
---|---|---|
Contract Management | 10.0.0.1 iFix14 | June 15 2016 |
Program Management, Strategic Supply Management | 10.0.0.3 iFix8 | May 27 2016 |
10.0.1.x | Apply Interim fix -> IBM Emptoris BeanShell iFix | |
OR | ||
Apply the following iFixes |
Product | Version | On or Before |
---|---|---|
Contract Management | 10.0.1.5 iFix6 | June 15 2016 |
Program Management, Strategic Supply Management | 10.0.1.4 iFix5 | May 20 2016 |
10.0.2.x | Apply Interim fix -> <Link to iFix on Fix central> | |
OR | ||
Apply the following iFixes |
Product | Version | Fix Link/Available On or Before |
---|---|---|
Contract Management | 10.0.2.7 iFix6 | |
10.0.2.8 iFix2 | May 16 2016 | |
Program Management, Strategic Supply Management | 10.0.2.7 iFix4 | |
10.0.2.8_iFix2 | May 13 2016 |
Note: Please check Fix Central for additional versions that may be available for specific Fix Packs in 10.0.2.x
10.0.4.x| Apply Interim fix -> IBM Emptoris BeanShell iFix
OR
Apply the following iFixes
Product | Version | ** Fix Link/Available On or Before** |
---|---|---|
Contract Management | 10.0.4.0 iFix7 | April 28 2016 |
Program Management, Strategic Supply Management | 10.0.4.0 iFix6 | May 06 2016 |
10.1.0.x | Apply Interim fix -> IBM Emptoris BeanShell iFix | |
OR | ||
Apply the following iFixes |
Product | Version | Fix Link/Available On or Before |
---|---|---|
Contract Management | 10.1.0.0 iFix5 | 10.1.0.0_iFix5 |
Program Management, Strategic Supply Management | 10.1.0.0 iFix7 | April 29 2016 |
IBM recommends that you review your entire environment to identify vulnerable releases of the open-source BeanShell and take appropriate mitigation and remediation actions.
None
Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.
Complete CVSS v2 Guide
On-line Calculator v2
Off
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
29 Apr 2016: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES ““AS IS”” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
[{“Product”:{“code”:“SSYQ72”,“label”:“Emptoris Strategic Supply Management”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Platform”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“Version Independent”,“Edition”:“”,“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}},{“Product”:{“code”:“SSYQ89”,“label”:“Emptoris Contract Management”},“Business Unit”:{“code”:“BU055”,“label”:“Cognitive Applications”},“Component”:" “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}},{“Product”:{“code”:“SSYRER”,“label”:“Emptoris Program Management”},“Business Unit”:{“code”:“BU055”,“label”:“Cognitive Applications”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”",“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}}]
CPE | Name | Operator | Version |
---|---|---|---|
Emptoris Contract Management | eq | any | |
Emptoris Program Management | eq | any |