Security Bulletin: Multiple vulnerabilities in IBM Cognos BI 8.4.1,10.1, 10.1.1 and 10.2 (CVE-2011-3026, CVE-2011-4858, CVE-2012-0498, CVE-2012-2177, CVE-2012-2193, CVE-2012-4835, CVE-2012-4836, CVE-2012-4837, CVE-2012-4840, CVE-2012-4858, CVE-2012-5081)

Flash (Alert)


Abstract

Several security vulnerabilities have been identified in IBM Cognos BI which may allowing remote attackers to:

- Cause a denial of service condition via excessive CPU consumption,
- Inject arbitrary JavaScript code into the victim's web browser,
- Download arbitrary XML files from the server,
- Call any registered XPath extension functions,
- Execute arbitrary code via buffer overflow.

Content

VULNERABILITY DETAILS:


CVE ID: CVE-2011-3026

    DESCRIPTION: The libpng graphic library is bundled with IBM Cognos BI. This vulnerability allows malicious users to overflow a buffer and execute arbitrary code on the server or cause the server to crash by requesting IBM Cognos BI to render a specifically crafted PNG image.

    CVSS:
    CVSS Base Score: 6.8
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73240 for the current score
    CVSS Environmental Score*: Undefined
    CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

    AFFECTED PLATFORMS:
    All supported platforms.

    REMEDIATION:
    Apply Cognos Business Intelligence Interim Fixes for Security Exposure

    Workaround(s):
    None known, apply fixes

    Mitigation(s):
    None known


CVE ID: CVE-2011-4858
    DESCRIPTION: Apache Tomcat is bundled with IBM Cognos BI. This Tomcat vulnerability allows remote attackers to cause a denial of service (CPU consumption) by sending a maliciously crafted HTTP request to the Cognos gateway.

    CVSS:
    CVSS Base Score: 5
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72016 for the current score
    CVSS Environmental Score*: Undefined
    CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

    AFFECTED PLATFORMS:
    All supported platforms.

    REMEDIATION:
    Apply Cognos Business Intelligence Interim Fixes for Security Exposure

    Workaround(s):
    None known, apply fixes

    Mitigation(s):
    None known


CVE ID: CVE-2012-0498
    DESCRIPTION: The Java Runtime Environment is bundled with IBM Cognos BI. This vulnerability allows malicious users to affect confidentiality, integrity, and availability by requesting IBM Cognos BI to render a specifically crafted image.

    CVSS:
    CVSS Base Score: 10
    The CVSS base score represents the maximum CVSS base score assigned by X-Force for the vulnerabilities identified in this advisory.

    AFFECTED PLATFORMS:
    All supported Windows platforms for IBM Cognos BI.

    REMEDIATION:
    Apply Cognos Business Intelligence Interim Fixes for Security Exposure

    Workaround(s) :
    None known, apply fixes

    Mitigation(s):
    A patched version of the Java Runtime Environment (JRE) can be installed independently, and IBM Cognos BI can be configured to be run with the patched version of the JRE.


CVE ID: CVE-2012-2177
    DESCRIPTION: IBM Cognos BI has a reflected cross-site scripting vulnerability requiring additional user interaction. The victim has to click a malicious link and then click an additional link on the rendered Web page. The attacker's JavaScript code is executed in the context of the victim's web browser.

    CVSS:
    CVSS Base Score: 4.3
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75400 for the current score
    CVSS Environmental Score*: Undefined

    AFFECTED PLATFORMS:
    All supported platforms.

    REMEDIATION:
    Apply Cognos Business Intelligence Interim Fixes for Security Exposure

    Workaround(s):
    None known, apply fixes

    Mitigation(s):
    You can configure IBM Cognos BI 10.1 and above to use the httpOnly attribute for the session cookie. That would prevent the attacker from stealing the session id.


CVE ID: CVE-2012-2193
    DESCRIPTION: IBM Cognos BI has a reflected cross-site scripting vulnerability requiring additional user interaction. The victim has to click a malicious link and then click an additional link on the rendered Web page. The attacker's JavaScript code is executed in the context of the victim's web browser.

    CVSS:
    CVSS Base Score: 4.3
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76098 for the current score
    CVSS Environmental Score*: Undefined

    AFFECTED PLATFORMS:
    All supported platforms.

    REMEDIATION:
    Apply Cognos Business Intelligence Interim Fixes for Security Exposure

    Workaround(s):
    None known, apply fixes

    Mitigation(s):
    You can configure IBM Cognos BI to use the httpOnly attribute for the session cookie. That would prevent the attacker from stealing the session id.


CVE ID: CVE-2012-4835
    DESCRIPTION: IBM Cognos BI has a reflected cross-site scripting vulnerability. The victim has to click a malicious link. The attacker's JavaScript code is executed in the context of the victim's web browser.

    CVSS:
    CVSS Base Score: 4.3
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78917 for the current score
    CVSS Environmental Score*: Undefined

    AFFECTED PLATFORMS:
    All supported platforms.

    REMEDIATION:
    Apply Cognos Business Intelligence Interim Fixes for Security Exposure

    Workaround(s):
    None known, apply fixes

    Mitigation(s):
    Configuring IBM Cognos BI 10.1 and above to use the httpOnly attribute for the session cookie helps prevent the attacker from stealing a users session id.


CVE ID: CVE-2012-4836
    DESCRIPTION: IBM Cognos BI is vulnerable to stored cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed.

    CVSS:
    CVSS Base Score: 3.5
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78918 for the current score
    CVSS Environmental Score*: Undefined

    AFFECTED PLATFORMS:
    All supported platforms.

    REMEDIATION:
    Apply Cognos Business Intelligence Interim Fixes for Security Exposure

    Workaround(s):
    None known, apply fixes

    Mitigation(s):
    You can configure IBM Cognos BI 10.1 and above to use the httpOnly attribute for the session cookie. That would prevent the attacker from stealing the session id.


CVE ID: CVE-2012-4837
    DESCRIPTION: IBM Cognos BI is vulnerable to XPath injection, caused by the improper validation of input prior to using it in a XPath (XML Path Language) query. By injecting arbitrary XPath code, a malicious user could exploit this vulnerability to read arbitrary XML files.

    CVSS:
    CVSS Base Score: 4
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78919 for the current score
    CVSS Environmental Score*: Undefined

    AFFECTED PLATFORMS:
    All supported platforms.

    REMEDIATION:
    Apply Cognos Business Intelligence Interim Fixes for Security Exposure

    Workaround(s):
    None known, apply fixes

    Mitigation(s):
    None known


CVE ID: CVE-2012-4840
    DESCRIPTION: IBM Cognos BI is vulnerable to XPath injection, caused by the improper validation of input prior to using it in a XPath (XML Path Language) query. By injecting arbitrary XPath code, a remote unauthenticated attacker could call any registered XPath extension function.

    CVSS:
    CVSS Base Score: 5
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79116 for the current score
    CVSS Environmental Score*: Undefined

    AFFECTED PLATFORMS:
    All supported platforms.

    REMEDIATION:
    Apply Cognos Business Intelligence Interim Fixes for Security Exposure

    Workaround(s):
    None known, apply fixes

    Mitigation(s):
    None known


CVE ID: CVE-2012-4858
    DESCRIPTION: IBM Cognos BI is vulnerable to a remote OS command injection due to missing validation of untrusted Java serialized input.

    CVSS:
    CVSS Base Score: 9.3
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79801 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

    AFFECTED PLATFORMS:
    All supported platforms.

    REMEDIATION:
    Apply Cognos Business Intelligence Interim Fixes for Security Exposure

    Workaround(s):
    None known, apply fixes

    Mitigation(s):
    None known


CVE ID: CVE-2012-5081
    DESCRIPTION: The Java Runtime Environment is bundled with IBM Cognos BI. This vulnerability allows malicious users to affect availability.

    CVSS:
    CVSS Base Score: 5
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

    AFFECTED PLATFORMS:
    All supported Windows platforms for IBM Cognos BI.

    REMEDIATION:
    Apply Cognos Business Intelligence Interim Fixes for Security Exposure

    Workaround(s):
    None known, apply fixes

    Mitigation(s):
    A patched version of the Java Runtime Environment (JRE) can be installed independently, and IBM Cognos BI can be configured to be run with the patched version of the JRE.


REFERENCES:


RELATED INFORMATION:


CHANGE HISTORY:

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Business Analytics Cognos 8 Business Intelligence AIX, HP-UX, HP Itanium, Linux, Solaris, Windows 8.4.1 All Editions

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Cognos Business Intelligence
Security

Software version:

8.4.1, 10.1, 10.1.1, 10.2

Operating system(s):

AIX, HP Itanium, HP-UX, Linux, Solaris, Windows

Reference #:

1626697

Modified date:

2013-02-27

Translate my page

Machine Translation

Content navigation