Multiple security exposures in IBM Cognos BI Server (CVE-2013-2988, CVE-2013-2978, CVE-2013-1557, CVE-2013-0586, CVE-2013-1478)

Flash (Alert)


Abstract

IBM Cognos BI Server is affected by multiple security exposures.

Content

VULNERABILITY DETAILS:


CVE ID: CVE-2013-2988

    DESCRIPTION:
    Inadequate access control: A malicious user may be able to download files from the server that they are not intended to have access to.
    The attacker must be an authenticated user with Report Author privileges and must know the exact path and filename of the file attempting to be accessed.

    CVSS:
    CVSS Base Score: 3.5
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84010 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

    AFFECTED PLATFORMS:
    IBM Cognos Business Intelligence Server 10.2.1
    IBM Cognos Business Intelligence Server 10.2
    IBM Cognos Business Intelligence Server 10.1.1
    IBM Cognos Business Intelligence Server 10.1
    IBM Cognos Business Intelligence Server 8.4.1

    REMEDIATION:
    The recommended solution is to apply the fixes listed at http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for your release version as soon as practical.


CVE ID: CVE-2013-2978
    DESCRIPTION:
    Inadequate access control: A malicious user may be able to download files from the server that they are not intended to have access to.
    The attacker must be an authenticated user with Report Author privileges and must know the exact path and filename of the file attempting to be accessed.

    CVSS:
    CVSS Base Score: 3.5
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83971 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV/N:AC/M:Au/S:C/P:I/N:A/N)

    AFFECTED PLATFORMS:
    IBM Cognos Business Intelligence Server 10.2.1
    IBM Cognos Business Intelligence Server 10.2
    IBM Cognos Business Intelligence Server 10.1.1
    IBM Cognos Business Intelligence Server 10.1
    IBM Cognos Business Intelligence Server 8.4.1

    REMEDIATION:
    The recommended solution is to apply the fixes listed at http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for your release version as soon as practical.


CVE ID: CVE-2013-1557
    DESCRIPTION:
    An unspecified vulnerability in Oracle Java SE related to RMI could allow a remote attacker to execute arbitrary code on the system.

    CVSS:
    CVSS Base Score: 10
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83572 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

    AFFECTED PLATFORMS:
    IBM Cognos Business Intelligence Server 10.2.1
    IBM Cognos Business Intelligence Server 10.2
    IBM Cognos Business Intelligence Server 10.1.1
    IBM Cognos Business Intelligence Server 10.1
    IBM Cognos Business Intelligence Server 8.4.1

    REMEDIATION:
    The recommended solution is to apply the fixes listed at http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for your release version as soon as practical.


CVE ID: CVE-2013-0586

    DESCRIPTION:
    Reflective cross-site scripting (XSS) due to inadequate input validation. An attacker who can trick a legitimate user into clicking on a link the attacker creates may be able to execute scripts of their choosing. This would allow the attacker to perform actions in the context of the user.

    CVSS:
    CVSS Base Score: 3.5
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83380 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

    AFFECTED PLATFORMS:
    IBM Cognos Business Intelligence Server 10.2.1
    IBM Cognos Business Intelligence Server 10.2
    IBM Cognos Business Intelligence Server 10.1.1
    IBM Cognos Business Intelligence Server 10.1
    IBM Cognos Business Intelligence Server 8.4.1

    REMEDIATION:
    The recommended solution is to apply the fixes listed at http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for your release version as soon as practical.

    ACKNOWLEDGEMENT:
    The vulnerability was discovered by Oren Ofer of Hacktics Advanced Security Center at Ernst & Young.


CVE ID: CVE-2013-1478

    DESCRIPTION:
    Unspecified vulnerability in the Java Runtime Environment (JRE) component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.

    CVSS:
    CVSS Base Score: 10
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81754
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

    AFFECTED PLATFORMS:
    IBM Cognos Business Intelligence Server 10.2.1
    IBM Cognos Business Intelligence Server 10.2
    IBM Cognos Business Intelligence Server 10.1.1
    IBM Cognos Business Intelligence Server 10.1
    IBM Cognos Business Intelligence Server 8.4.1

    REMEDIATION:
    The recommended solution is to apply the fixes listed at http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for your release version as soon as practical.


REFERENCES:


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

Cognos Business Intelligence

Software version:

10.2.1

Operating system(s):

AIX, HP Itanium, HP-UX, Linux, Solaris, Windows

Reference #:

1645566

Modified date:

2013-08-21

Translate my page

Machine Translation

Content navigation