This Fix Readme includes instructions to upgrading the Apache Commons Beanutils jar to v1.9.4 for Atlas eDiscovery Process Management(6.0.1.x and 6.0.2.x versions)
PSIRT details: PRID: PVR0203016, Advisory ADV0020809 - Apache Commons Beanutils Vulnerability
CVEID: CVE-2019-10086
CVSS Base Score: 5.3
Description: Apache Commons Beanutils may allow a remote attacker to gain unauthorized access to the system, due to a failure to suppress the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.
For more details on the security fix, please refer to the below link:
<https://www.ibm.com/support/pages/node/5693133>
Fix:
This fix is applicable for IBM Policy Atlas Suite version 6.0.1.x and 6.0.2.x
The commons-beanutils.jar must be upgraded from v1.9.2 to v1.9.4 in Policy Atlas and Atlas Extensions applications. For this ear files must be expanded before replacing the jar file and then compressed and deployed.
To apply the fix for Policy Atlas application, follow the steps mentioned below:
To apply the fix for Atlas Extensions application, follow the steps mentioned below:
**Attachment:**Use this Apache Commons Beanutils jar
commons-beanutils.jar
[{“Line of Business”:{“code”:“”,“label”:“”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Product”:{“code”:“SSXPJK”,“label”:“Atlas Policy Suite”},“ARM Category”:[],“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“All Version(s)”}]