IBM Cognos Express allows access to Tomcat Manager using hard coded credentials

Flash (Alert)


Abstract

It is possible to gain access to Tomcat Manager in IBM Cognos Express using hard coded credentials. This could create a security vulnerability that would allow someone to carry out a denial of service attack.

Content

In order to resolve the issue and secure the Cognos Express environment, follow these steps:
1. Stop the 'IBM Cognos Express' service from Service Manager.
Start>Settings>Control Panel>Administrative Tools>Services

2. Delete the following files under the IBM Cognos Express installation folder. The default location of this folder is
C:\Program Files\IBM\Cognos Express if you did not change the location during the installation process.

\webapps\manager.xml
\tomcat4.1.27\conf\tomcat-users.xml
\tomcat4.1.27\server\webapps\manager\html-manager-howto.html
\tomcat4.1.27\server\webapps\manager\manager-howto.html
\tomcat4.1.27\server\webapps\manager\images\asf-logo.gif
\tomcat4.1.27\server\webapps\manager\images\tomcat.gif
\tomcat4.1.27\server\webapps\manager\images\void.gif
\tomcat4.1.27\server\webapps\manager\WEB-INF\web.xml

3. Delete the following folders under the IBM Cognos Express installation folder:

\tomcat4.1.27\server\webapps\manager\WEB-INF
\tomcat4.1.27\server\webapps\manager\images
\tomcat4.1.27\server\webapps\manager
\tomcat4.1.27\server\webapps


4. Start the 'IBM Cognos Express' service from Service Manager.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Cognos Express
Security

Software version:

9.0

Operating system(s):

Windows 2003 server

Software edition:

All Editions

Reference #:

1419179

Modified date:

2010-02-03

Translate my page

Machine Translation

Content navigation