IBM Support

Security Bulletin: Multiple vulnerabilities in IBM Cognos BI 8.4.1,10.1, 10.1.1 and 10.2 (CVE-2011-3026, CVE-2011-4858, CVE-2012-0498, CVE-2012-2177, CVE-2012-2193, CVE-2012-4835, CVE-2012-4836, CVE-2012-4837, CVE-2012-4840, CVE-2012-4858, CVE-2012-5081)

Security Bulletin


Summary

Several security vulnerabilities have been identified in IBM Cognos BI which may allowing remote attackers to:

- Cause a denial of service condition via excessive CPU consumption,
- Inject arbitrary JavaScript code into the victim's web browser,
- Download arbitrary XML files from the server,
- Call any registered XPath extension functions,
- Execute arbitrary code via buffer overflow.

Vulnerability Details


VULNERABILITY DETAILS:


CVE ID: CVE-2011-3026

DESCRIPTION: The libpng graphic library is bundled with IBM Cognos BI. This vulnerability allows malicious users to overflow a buffer and execute arbitrary code on the server or cause the server to crash by requesting IBM Cognos BI to render a specifically crafted PNG image.

CVSS:
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/73240 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

AFFECTED PLATFORMS:
All supported platforms.

REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure

Workaround(s):
None known, apply fixes

Mitigation(s):
None known


CVE ID: CVE-2011-4858

DESCRIPTION: Apache Tomcat is bundled with IBM Cognos BI. This Tomcat vulnerability allows remote attackers to cause a denial of service (CPU consumption) by sending a maliciously crafted HTTP request to the Cognos gateway.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/72016 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

AFFECTED PLATFORMS:
All supported platforms.

REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure

Workaround(s):
None known, apply fixes

Mitigation(s):
None known


CVE ID: CVE-2012-0498

DESCRIPTION: The Java Runtime Environment is bundled with IBM Cognos BI. This vulnerability allows malicious users to affect confidentiality, integrity, and availability by requesting IBM Cognos BI to render a specifically crafted image.

CVSS:
CVSS Base Score: 10
The CVSS base score represents the maximum CVSS base score assigned by X-Force for the vulnerabilities identified in this advisory.

AFFECTED PLATFORMS:
All supported Windows platforms for IBM Cognos BI.

REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure

Workaround(s):
None known, apply fixes

Mitigation(s):
A patched version of the Java Runtime Environment (JRE) can be installed independently, and IBM Cognos BI can be configured to be run with the patched version of the JRE.


CVE ID: CVE-2012-2177

DESCRIPTION: IBM Cognos BI has a reflected cross-site scripting vulnerability requiring additional user interaction. The victim has to click a malicious link and then click an additional link on the rendered Web page. The attacker's JavaScript code is executed in the context of the victim's web browser.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/75400 for the current score
CVSS Environmental Score*: Undefined

AFFECTED PLATFORMS:
All supported platforms.

REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure

Workaround(s):
None known, apply fixes

Mitigation(s):
You can configure IBM Cognos BI 10.1 and above to use the httpOnly attribute for the session cookie. That would prevent the attacker from stealing the session id.


CVE ID: CVE-2012-2193

DESCRIPTION: IBM Cognos BI has a reflected cross-site scripting vulnerability requiring additional user interaction. The victim has to click a malicious link and then click an additional link on the rendered Web page. The attacker's JavaScript code is executed in the context of the victim's web browser.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/76098 for the current score
CVSS Environmental Score*: Undefined

AFFECTED PLATFORMS:
All supported platforms.

REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure

Workaround(s):
None known, apply fixes

Mitigation(s):
You can configure IBM Cognos BI to use the httpOnly attribute for the session cookie. That would prevent the attacker from stealing the session id.


CVE ID: CVE-2012-4835

DESCRIPTION: IBM Cognos BI has a reflected cross-site scripting vulnerability. The victim has to click a malicious link. The attacker's JavaScript code is executed in the context of the victim's web browser.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/78917 for the current score
CVSS Environmental Score*: Undefined

AFFECTED PLATFORMS:
All supported platforms.

REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure

Workaround(s):
None known, apply fixes

Mitigation(s):
Configuring IBM Cognos BI 10.1 and above to use the httpOnly attribute for the session cookie helps prevent the attacker from stealing a users session id.


CVE ID: CVE-2012-4836

DESCRIPTION: IBM Cognos BI is vulnerable to stored cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/78918 for the current score
CVSS Environmental Score*: Undefined

AFFECTED PLATFORMS:
All supported platforms.

REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure

Workaround(s):
None known, apply fixes

Mitigation(s):
You can configure IBM Cognos BI 10.1 and above to use the httpOnly attribute for the session cookie. That would prevent the attacker from stealing the session id.


CVE ID: CVE-2012-4837

DESCRIPTION: IBM Cognos BI is vulnerable to XPath injection, caused by the improper validation of input prior to using it in a XPath (XML Path Language) query. By injecting arbitrary XPath code, a malicious user could exploit this vulnerability to read arbitrary XML files.

CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/78919 for the current score
CVSS Environmental Score*: Undefined

AFFECTED PLATFORMS:
All supported platforms.

REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure

Workaround(s):
None known, apply fixes

Mitigation(s):
None known


CVE ID: CVE-2012-4840

DESCRIPTION: IBM Cognos BI is vulnerable to XPath injection, caused by the improper validation of input prior to using it in a XPath (XML Path Language) query. By injecting arbitrary XPath code, a remote unauthenticated attacker could call any registered XPath extension function.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/79116 for the current score
CVSS Environmental Score*: Undefined

AFFECTED PLATFORMS:
All supported platforms.

REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure

Workaround(s):
None known, apply fixes

Mitigation(s):
None known


CVE ID: CVE-2012-4858

DESCRIPTION: IBM Cognos BI is vulnerable to a remote OS command injection due to missing validation of untrusted Java serialized input.

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/79801 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:
All supported platforms.

REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure

Workaround(s):
None known, apply fixes

Mitigation(s):
None known


CVE ID: CVE-2012-5081

DESCRIPTION: The Java Runtime Environment is bundled with IBM Cognos BI. This vulnerability allows malicious users to affect availability.

CVSS:
CVSS Base Score: 5
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

AFFECTED PLATFORMS:
All supported Windows platforms for IBM Cognos BI.

REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure

Workaround(s):
None known, apply fixes

Mitigation(s):
A patched version of the Java Runtime Environment (JRE) can be installed independently, and IBM Cognos BI can be configured to be run with the patched version of the JRE.


REFERENCES:

  • CVE-2011-4858
  • CVE-2012-0498
  • CVE-2012-2177
  • CVE-2012-2193
  • CVE-2012-4835
  • CVE-2012-4836
  • CVE-2012-4837
  • CVE-2012-4840
  • CVE-2012-4858
  • CVE-2012-5081
  • Enabling the HTTPOnly parameter

  • Get Notified about Future Security Bulletins

    References

    Complete CVSS v2 Guide
    On-line Calculator v2

    Related information

    IBM Secure Engineering Web Portal
    IBM Product Security Incident Response Blog

    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

    Disclaimer

    According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

    Cross reference information
    Segment Product Component Platform Version Edition
    Business Analytics Cognos 8 Business Intelligence AIX, HP-UX, HP Itanium, Linux, Solaris, Windows 8.4.1 All Editions

    Document information

    More support for: Cognos Business Intelligence
    Security

    Software version: 8.4.1, 10.1, 10.1.1, 10.2

    Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

    Reference #: 1626697

    Modified date: 27 February 2013


    Translate this page: