Security Bulletin: Order Management is subject to an Apache Batik vulnerability and could allow a remote attacker to obtain sensitive information.

Summary

Order Management removed parts of legacy code that carried vulnerabilites. The code did contain CVE-2015-0250, however the specific code related to the vulnerability is not in use, therefore the risk is lower. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2015-0250
**DESCRIPTION:**Apache Batik could allow a remote attacker to obtain sensitive information. By persuading a victim to open a specially-crafted SVG file, an attacker could exploit this vulnerability to reveal files and obtain sensitive information.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/101614 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Please find release notes and fixes - <https://www.ibm.com/docs/en/order-management?topic=updating-resolved-issues&gt;

Container download- <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=operator-obtaining-container-images-from-entitled-registry&gt;
On-Prem: <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=installing-applying-fix-packs&gt;

Workarounds and Mitigations

None