Security Bulletin: Vulnerability in Apache Commons Beanutils library affect IBM Cúram Social Program Management (CVE-2019-10086)

Summary

IBM Cúram Social Program Management uses the Apache Commons Beanutils library, for which there is a publicly known vulnerability. The vulnerability could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.

Vulnerability Details

CVEID:CVE-2019-10086
**DESCRIPTION:**Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/166353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

7.0.9

| Visit IBM Fix Central and upgrade to 7.0.9 or a subsequent 7.0.9 release.
Cúram SPM |

7.0.4.4

| Visit IBM Fix Central and upgrade to 7.0.4.4_iFix1 or a subsequent 7.0.4.4 release.
Cúram SPM |

6.2.0.6

| Visit IBM Fix Central and upgrade to 6.2.0.6_iFix4 or a subsequent 6.2.0.6 release.
Cúram SPM |

6.1.1.6

| Visit IBM Fix Central and upgrade to 6.1.1.6_iFix4 or a subsequent 6.1.1.6 release.
Cúram SPM | 6.0.5.10 | Visit IBM Fix Central and upgrade to 6.0.5.10_iFix5 or a subsequent 6.0.5.10 release.

Workarounds and Mitigations

For information about all other versions, contact IBM Cúram Social Program Management customer support.