IBM Support

Security Bulletin: Multiple vulnerabilities in IBM Cognos Express (CVE-2013-5443, CVE-2013-5445, CVE-2013-5444, CVE-2013-2407, CVE-2013-2450, CVE-2013-0169, CVE-2013-1478, CVE-2013-1480)

Security Bulletin


Summary

A number of security vulnerabilities in IBM Cognos Express have been identified and addressed in a software update.

Vulnerability Details

CVE ID: CVE-2013-5443
DESCRIPTION:
A Cross Site Request Forgery (CSRF) vulnerability in IBM Cognos Express allows an attacker that is able to trick an authenticated user into clicking or following a malicious link to perform actions they did not intend to.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87819 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PLATFORMS:
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0

REMEDIATION:
The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.

  • Cognos Express 10.2.1 FP1
  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)


    CVE ID: CVE-2013-5445


    DESCRIPTION:
    Encrypted credentials can be remotely retrieved from the IBM Cognos Express server.

    CVSS:
    CVSS Base Score: 5.0
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87821 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.2.1
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.

  • Cognos Express 10.2.1 FP1
  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)

    CVE ID: CVE-2013-5444


    DESCRIPTION:
    Encryption is unnecessarily weakened due to use of a static key which could assist an attacker with decrypting information they should not have access to.

    CVSS:
    CVSS Base Score: 1.9
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87820 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:N/A:N)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.2.1
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.

  • Cognos Express 10.2.1 FP1
  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)


    CVE ID: CVE-2013-2407


    DESCRIPTION:
    The IBM Java JRE used in IBM Cognos Express could allow an attacker that is able to send a specially crafted XML data to server to cause a denial of service.

    CVSS:
    CVSS Base Score: 6.4
    CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/85044 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the versions listed.

  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)


    CVE ID: CVE-2013-2450


    DESCRIPTION:
    The IBM Java JRE used in IBM Cognos Express could allow an attacker that is able to send a specially crafted data to server to cause a denial of service.

    CVSS:
    CVSS Base Score: 5
    CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/85057 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the versions listed.

  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)

    CVE ID: CVE-2013-0169


    DESCRIPTION:
    The IBM Java JRE used in IBM Cognos Express is susceptible to a Transport Layer Security protocol (used in HTTPS) vulnerability known as "Lucky Thirteen." The vulnerability could allow remote attackers to conduct distinguishing and plain-text recovery attacks by statistically analyzing timing data for crafted packets.

    CVSS:
    CVSS Base Score: 4.3
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81902 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the versions listed.

  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)


    CVE ID: CVE-2013-1478


    DESCRIPTION:
    The IBM Java JRE used in IBM Cognos Express is susceptible to a unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability, related to 2D.

    CVSS:
    CVSS Base Score: 10
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81754
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the versions listed.

  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)


    CVE ID: CVE-2013-1480


    DESCRIPTION:
    The IBM Java JRE used in IBM Cognos Express is susceptible to a unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability, related to AWT.

    CVSS:
    CVSS Base Score: 10
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81757
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the versions listed.

  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)

  • Workarounds and Mitigations

    None. Install the fixes as listed above.

    Get Notified about Future Security Bulletins

    References

    Complete CVSS v2 Guide
    On-line Calculator v2

    Related information

    IBM Secure Engineering Web Portal
    IBM Product Security Incident Response Blog

    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

    Disclaimer

    According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

    Document information

    More support for: Cognos Express

    Software version: 9.0, 9.5, 10.1, 10.2.1

    Operating system(s): Windows

    Reference #: 1667626

    Modified date: 20 March 2014


    Translate this page: