Security Bulletin: Two vulnerabilities exist in IBM FileNet Content Manager and IBM Content Foundation (CVE-2015-0474 and CVE-2015-0493)

Summary

Oracle Outside In Technology vulnerabilities were disclosed on April 14, 2015 by Oracle. These vulnerabilities are documented in CVE-2015-0474 and CVE-2015-0493 and affect the IBM FileNet Content Manager and IBM Content Foundation products.

Vulnerability Details

CVEID: CVE-2015-0474 DESCRIPTION: A vulnerability in Oracle Outside In Technology could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption error when parsing malicious files. By persuading a victim to open a specially-crafted DOCX file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102299 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-0493 DESCRIPTION: A vulnerability in Oracle Outside In Technology could allow a remote attacker to execute arbitrary code on the system. The ibpsd2.dll file improperly parses PSD (Photoshop) files. An attacker could exploit this vulnerability to cause a heap-based buffer overflow and execute arbitrary code on the system.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102298 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Products and Versions

IBM FileNet Content Manager 5.1.0, 5.2.0, 5.2.1
IBM Content Foundation 5.2.0, 5.2.1

Remediation/Fixes

Install the applicable release below that contains OIT Critical Patch Update p20572683, which addresses the 2 CVEs in this Security Bulletin.

Releases available from Fix Central: <http://www.ibm.com/support/fixcentral/&gt;

Workarounds and Mitigations

None