APAR status
Closed as fixed if next.
Error description
The backURL parameter as used by MyProperties page in Cognos Administration is vulnerable to a Client Side Resource Manipulation (CSRM) aka Reflected Link vulnerability. An attacker can supply a value for the backURL parameter which will be reflected by the product in a subsequently generated response as part of a meta-refresh leading to the client browser following the link to an arbitrary URL. This is the perfect 2nd half of a CSRF which combined with social engineering and a prepared link can lead to a victim accessing a prepared webpage or load a resource like a JS or exe.
Local fix
na
Problem summary
**************************************************************** * USERS AFFECTED: * * All Users * * * **************************************************************** * PROBLEM DESCRIPTION: * * See Error Description * * * **************************************************************** * RECOMMENDATION: * * Upgrade to IBM Cognos Analytics 11.1.2 * ****************************************************************
Problem conclusion
Temporary fix
Comments
APAR Information
APAR number
PH05336
Reported component name
COG SOFT DEV KI
Reported component ID
5724W12SK
Reported release
B0A
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-11-15
Closed date
2019-06-05
Last modified date
2019-06-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCHNWX","label":"Software Development Kit (SDK) v11x"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"B0A","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
05 June 2019