Security Bulletin: IBM Cognos Business Intelligence (CVE-2013-3030, CVE-2013-4002, CVE-2013-2407, CVE-2013-2450, CVE-2013-4034, CVE-2013-5372)

Flash (Alert)


Abstract

A Number of security vulnerabilities exist in the IBM Cognos Business Intelligence product.

Content

VULNERABILITY DETAILS:

CVEID: CVE-2013-3030 Denial of service attack against servlet gateway

    DESCRIPTION:
    A malicious user may be send specially crafted HTTP requests to the IBM Cognos Business Intelligence servlet gateway and stop it from accepting further requests for a period of time, effectively causing a denial of service to users of the system.

    CVSS Base Score: 5.0
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84592 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

    AFFECTED PRODUCTS AND VERSIONS:
    IBM Cognos Business Intelligence 10.2.1 and earlier

    REMEDIATION:
    Apply the fix appropriate for your platform and version (see below)

    Workaround(s) & Mitigation(s):
    This only affects installations that use the Servlet gateway.


CVEID: CVE-2013-4002 Apache Xerces-J XML parser Denial of Service attack

    DESCRIPTION:
    A malicious user that is able to send a specially crafted XML document via an HTTP request to the IBM Cognos Business Intelligence server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system.

    CVSS Base Score: 7.1
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85260 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

    AFFECTED PRODUCTS AND VERSIONS:
    IBM Cognos Business Intelligence 10.2.1 and earlier

    REMEDIATION:
    Apply the fix appropriate for your platform and version (see below)

    Workaround(s) & Mitigation(s):
    none


CVEID: CVE-2013-5372 Apache Xerces-J XML parser Denial of Service attack

    DESCRIPTION:
    A malicious user that is able to send a specially crafted XML document via an HTTP request to the IBM Cognos Business Intelligence server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system.

    CVSS Base Score: 4.3
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

    AFFECTED PRODUCTS AND VERSIONS:
    IBM Cognos Business Intelligence 10.2.1 and earlier

    REMEDIATION:
    Apply the fix appropriate for your platform and version (see below)

    Workaround(s) & Mitigation(s):
    none


CVEID: CVE-2013-2407 Unspecified vulnerability in the Java Runtime Environment (JRE) component

    DESCRIPTION:
    A malicious user that is able to send a XML document with specially crafted Signature data via an HTTP request to the IBM Cognos Business Intelligence server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system.

    CVSS Base Score: 6.4
    CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85044 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

    AFFECTED PRODUCTS AND VERSIONS:
    IBM Cognos Business Intelligence 10.2.1 and earlier

    REMEDIATION:
    Apply the fix appropriate for your platform and version (see below)

    Workaround(s) & Mitigation(s):
    This vulnerability is related to the version of Java shipped with IBM Cognos BI Server on Windows. Java is not included on other platforms. User of other platforms, or Windows users that use a version of Java other than the included version, should contact their Java provider for the equivalent fix.


CVEID: CVE-2013-2450 Unspecified vulnerability in the Java Runtime Environment (JRE) component

    DESCRIPTION:
    A malicious user that is able to send specially crafted data via an HTTP request to the IBM Cognos Business Intelligence server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system.

    CVSS Base Score: 5
    CVSS Temporal Score: See CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85057 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

    AFFECTED PRODUCTS AND VERSIONS:
    IBM Cognos Business Intelligence 10.2.1 and earlier

    REMEDIATION:
    Apply the fix appropriate for your platform and version (see below)

    Workaround(s) & Mitigation(s):
    This vulnerability is related to the version of Java shipped with IBM Cognos BI Server on Windows. Java is not included on other platforms. User of other platforms, or Windows users that use a version of Java other than the included version, should contact their Java provider for the equivalent fix.


CVEID: CVE-2013-4034 External XML Entity Attack

    DESCRIPTION:
    A malicious user that is able to send specially crafted XML data to the IBM Cognos Business Intelligence server may be able to gain unauthorized access to files from the server.

    CVSS Base Score: 4
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86137 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

    AFFECTED PRODUCTS AND VERSIONS:
    IBM Cognos Business Intelligence 10.2.1 and earlier

    REMEDIATION:
    Apply the fix appropriate for your platform and version (see below)

    Workaround(s) & Mitigation(s):
    none


DOWNLOADS:

Cognos 8 Business Intelligence 8.4.1 Interim Fix 3 for Security Exposure

Cognos Business Intelligence 10.2 and 10.2.1 Interim Fixes for Security Exposure

Cognos Business Intelligence 10.1 Interim Fixes for Security Exposure


REFERENCES:
Complete CVSS Guide
On-line Calculator V2


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


CHANGE HISTORY
11 November 2013: Original Copy Published


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Cognos Business Intelligence

Software version:

8.4.1, 10.1, 10.1.1, 10.2, 10.2.1

Operating system(s):

AIX, HP Itanium, HP-UX, Linux, Solaris, Windows

Reference #:

1652590

Modified date:

2013-11-11

Translate my page

Machine Translation

Content navigation