IBM Support

Security Bulletin: Multiple vulnerabilities in IBM Cognos Express (CVE-2013-5443, CVE-2013-5445, CVE-2013-5444, CVE-2013-2407, CVE-2013-2450, CVE-2013-0169, CVE-2013-1478, CVE-2013-1480)

Security Bulletin


Summary

A number of security vulnerabilities in IBM Cognos Express have been identified and addressed in a software update.

Vulnerability Details

CVE ID: CVE-2013-5443
DESCRIPTION:
A Cross Site Request Forgery (CSRF) vulnerability in IBM Cognos Express allows an attacker that is able to trick an authenticated user into clicking or following a malicious link to perform actions they did not intend to.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87819 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PLATFORMS:
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0

REMEDIATION:
The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.

  • Cognos Express 10.2.1 FP1
  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)



  • CVE ID: CVE-2013-5445


    DESCRIPTION:
    Encrypted credentials can be remotely retrieved from the IBM Cognos Express server.

    CVSS:
    CVSS Base Score: 5.0
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87821 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.2.1
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.

  • Cognos Express 10.2.1 FP1
  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)


  • CVE ID: CVE-2013-5444


    DESCRIPTION:
    Encryption is unnecessarily weakened due to use of a static key which could assist an attacker with decrypting information they should not have access to.

    CVSS:
    CVSS Base Score: 1.9
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87820 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:N/A:N)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.2.1
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.

  • Cognos Express 10.2.1 FP1
  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)



  • CVE ID: CVE-2013-2407


    DESCRIPTION:
    The IBM Java JRE used in IBM Cognos Express could allow an attacker that is able to send a specially crafted XML data to server to cause a denial of service.

    CVSS:
    CVSS Base Score: 6.4
    CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/85044 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the versions listed.

  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)



  • CVE ID: CVE-2013-2450


    DESCRIPTION:
    The IBM Java JRE used in IBM Cognos Express could allow an attacker that is able to send a specially crafted data to server to cause a denial of service.

    CVSS:
    CVSS Base Score: 5
    CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/85057 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the versions listed.

  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)


  • CVE ID: CVE-2013-0169


    DESCRIPTION:
    The IBM Java JRE used in IBM Cognos Express is susceptible to a Transport Layer Security protocol (used in HTTPS) vulnerability known as "Lucky Thirteen." The vulnerability could allow remote attackers to conduct distinguishing and plain-text recovery attacks by statistically analyzing timing data for crafted packets.

    CVSS:
    CVSS Base Score: 4.3
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81902 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the versions listed.

  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)



  • CVE ID: CVE-2013-1478


    DESCRIPTION:
    The IBM Java JRE used in IBM Cognos Express is susceptible to a unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability, related to 2D.

    CVSS:
    CVSS Base Score: 10
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81754
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the versions listed.

  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)



  • CVE ID: CVE-2013-1480


    DESCRIPTION:
    The IBM Java JRE used in IBM Cognos Express is susceptible to a unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability, related to AWT.

    CVSS:
    CVSS Base Score: 10
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81757
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

    AFFECTED PLATFORMS:
    IBM Cognos Express 10.1
    IBM Cognos Express 9.5
    IBM Cognos Express 9.0

    REMEDIATION:
    The recommended solution is to apply the fix in one of the versions listed.

  • Cognos Express 10.1 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.5 Interim Fix 2 (IFIX 2)
  • Cognos Express 9.0 Interim Fix 2 (IFIX 2)


  • Workarounds and Mitigations

    None. Install the fixes as listed above.

    Get Notified about Future Security Bulletins

    References

    Off

    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

    Disclaimer

    Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

    [{"Product":{"code":"SSDL22","label":"IBM Planning Analytics Express"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF033","label":"Windows"}],"Version":"9.0;9.5;10.1;10.2.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

    Document Information

    Modified date:
    10 November 2022

    UID

    swg21667626