Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM Cúram Social Program Management (CVE-2016-1000031)

Summary

IBM Cúram Social Program Management uses the Apache Commons FileUpload Library. Apache Commons FileUpload, as used in Novell NetIQ Sentinel and other products, could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of the FileUpload library.

Vulnerability Details

CVEID: CVE-2016-1000031**
DESCRIPTION:** Apache Commons FileUpload, as used in Novell NetIQ Sentinel and other products, could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of the FileUpload library. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the current process.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117957 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Cúram Social Program Management 7.0.2.0 - 7.0.2.0
IBM Cúram Social Program Management 7.0.0.0 - 7.0.1.1
IBM Cúram Social Program Management 6.2.0.0 - 6.2.0.6
IBM Cúram Social Program Management 6.1.0.0 - 6.1.1.6
IBM Cúram Social Program Management 6.0.5.0 - 6.0.5.10

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Cúram Social Program Management| 7.0.2| Visit IBM Fix Central and upgrade to 7.0.2.0_iFix1 or a subsequent 7.0.2 release
IBM Cúram Social Program Management| 7.0| Visit IBM Fix Central and upgrade to 7.0.1.1_iFix3 or a subsequent 7.0.1 release
IBM Cúram Social Program Management| 6.2| Visit IBM Fix Central and upgrade to 6.2.0.6_iFix1 or a subsequent 6.2.0 release
IBM Cúram Social Program Management| 6.1| Visit IBM Fix Central and upgrade to 6.1.1.6_iFix1 or a subsequent 6.1.1 release
IBM Cúram Social Program Management| 6.0.5| Visit IBM Fix Central and upgrade to 6.0.5.10 iFix3 or a subsequent 6.0.5 release

Workarounds and Mitigations

For information on all other versions please contact Cúram Customer Support.