Lucene search

IBM5A4D0F2F6B321F74DADB1C42CFD151EA6581783AFE6E5F7519B2E9433100A114

HistoryJun 27, 2023 - 6:57 p.m.

Security Bulletin: FileNet Content Manager (FNCM) FileNet Content Search Services (CSS) ThoughtWorks XStream security vulnerabilities, affected, not vulnerable

2023-06-2718:57:22

www.ibm.com

filenet content manager

content search services

thoughtworks xstream

security vulnerability

affected

not vulnerable

patch available

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS

0.01

Percentile

83.8%

JSON

Summary

Security vulnerability in FileNet Content Manager (FNCM) FileNet Content Search Services (CSS) ThoughtWorks XStream, affected, not vulnerable.

Vulnerability Details

CVEID:CVE-2022-41966
**DESCRIPTION:**XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By manipulating the processed input stream at unmarshalling time, a remote attacker could exploit this vulnerability to replace or inject objects and cause a denial of service.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243448 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
FileNet Content Manager	5.5.4.0
FileNet Content Manager	5.5.8.0
FileNet Content Manager	5.5.9.0
FileNet Content Manager	5.5.10.0

Remediation/Fixes

Fixed in ThoughtWorks XStream v1.4.20, released December 24, 2022.

Product	VRMF	APAR	Remediation/First Fix
FileNet Content Manager	5.5.4.0	PJ46975	5.5.4.0-P8CSS-IF010 - 6/27/2023
FileNet Content Manager	5.5.8.0	PJ46975	5.5.8.0-P8CSS-IF004 - 2/30/2023
FileNet Content Manager	5.5.9.0	PJ46975	5.5.9.0-P8CSS-IF002 - 3/15/2023
FileNet Content Manager	5.5.10.0	PJ46975	5.5.10.0-P8CSS-IF001 - 4/30/2023

In the above table, the APAR links will provide more information about the fix.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmfilenet_content_managerMatch5.5.4

ibmfilenet_content_managerMatch5.5.8

ibmfilenet_content_managerMatch5.5.9

ibmfilenet_content_managerMatch5.5.10

VendorProductVersionCPE
ibmfilenet_content_manager5.5.4cpe:2.3:a:ibm:filenet_content_manager:5.5.4:*:*:*:*:*:*:*
ibmfilenet_content_manager5.5.8cpe:2.3:a:ibm:filenet_content_manager:5.5.8:*:*:*:*:*:*:*
ibmfilenet_content_manager5.5.9cpe:2.3:a:ibm:filenet_content_manager:5.5.9:*:*:*:*:*:*:*
ibmfilenet_content_manager5.5.10cpe:2.3:a:ibm:filenet_content_manager:5.5.10:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	filenet_content_manager	5.5.4	cpe:2.3:a:ibm:filenet_content_manager:5.5.4:::::::*
ibm	filenet_content_manager	5.5.8	cpe:2.3:a:ibm:filenet_content_manager:5.5.8:::::::*
ibm	filenet_content_manager	5.5.9	cpe:2.3:a:ibm:filenet_content_manager:5.5.9:::::::*
ibm	filenet_content_manager	5.5.10	cpe:2.3:a:ibm:filenet_content_manager:5.5.10:::::::*