IBM Support

Security Bulletin: IBM Cognos Business Intelligence Server 2016Q1 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities.

Security Bulletin


Summary

This bulletin addresses several security vulnerabilities.

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 6 and the IBM® Runtime Environment Java™ Technology Edition, Version 7 that are used by IBM Cognos Business Intelligence. These issues were disclosed as part of the IBM Java SDK updates in January 2016.

Security issues were also addressed in LibXML2 and IBM WebSphere Portal (Liberty Profile).

Due to the ending of support for OpenSSL 0.9.8 we have upgraded to OpenSSL 1.0.2e

If you are using IBM Cognos TM1, you should also apply IBM Cognos TM1 Security fixes. This will ensure TM1 and Business Intelligence continue to operate as expected. Please see the Related Information section below.

Vulnerability Details

CVEID: CVE-2015-1819
DESCRIPTION: Libxml is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error in the xmlreader when processing XML data. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base Score: 5.300
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/107272 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-2017
DESCRIPTION: The IBM WebSphere Portal is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/103991
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

CVEID: CVE-2015-5312
DESCRIPTION: An unspecified error in Libxml2 related to an entity expansion flaw has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108319 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-7497
DESCRIPTION: Libxml2 is vulnerable to a denial of service, caused by a heap-based buffer overflow in the xmlDictComputeFastQKey() function. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108320 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7498
DESCRIPTION: An unspecified error in Libxml2 related to the processing of entities after encoding conversion failures have occured has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108321 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-7499
DESCRIPTION: An unspecified error in Libxml2 related to some parser errors has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108322 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-7500
DESCRIPTION: Libxml2 is vulnerable to a denial of service, caused by a memory access error when handling invalid entity boundaries. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108323 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7941
DESCRIPTION: Libxml2 could allow a remote attacker to execute arbitrary code on the system, caused by improper validation when processing XML files. By using a specially-crafted XML file, an attacker could exploit this vulnerability to cause an out of bounds read error allowing the attacker to execute arbitrary code on the system.
CVSS Base Score: 4.300
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/108071 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2015-7942
DESCRIPTION: Libxml2 could allow a remote attacker to execute arbitrary code on the system, caused by improper validation when processing XML files. By using a specially-crafted XML file, an attacker could exploit this vulnerability to cause an out of bounds read error allowing the attacker to execute arbitrary code on the system.
CVSS Base Score: 4.300
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/108073 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2015-8035
DESCRIPTION: libxml2 is vulnerable to a denial of service, caused by an error when xz support is enabled. By using a specially-crafted xml file, an local attacker could exploit this vulnerability to cause the software to crash.
CVSS Base Score: 4.000
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/107845 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-8241
DESCRIPTION: libxml2 is vulnerable to a buffer overflow, caused by improper bounds checking by the XML parser in xmlNextChar. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.900
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/108169 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8242
DESCRIPTION: libxml2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the HTML parser in push mode in xmlSAX2TextNode. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.900
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/108170 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8317
DESCRIPTION: libxml2 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the xmlParseXMLDecl function. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108316 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-0448
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109949 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVEID: CVE-2016-0466
DESCRIPTION: An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

  • IBM Cognos Business Intelligence Server 10.2.2
  • IBM Cognos Business Intelligence Server 10.2.1.1
  • IBM Cognos Business Intelligence Server 10.2.1
  • IBM Cognos Business Intelligence Server 10.2
  • IBM Cognos Business Intelligence Server 10.1.1
  • IBM Cognos Business Intelligence Server 10.1
  • IBM Cognos Business Intelligence Server 8.4.1

Remediation/Fixes

The recommended solution is to apply the fix for versions listed as soon as practical.
8.4.1: http://www-01.ibm.com/support/docview.wss?uid=swg24041797
10.1.x: http://www-01.ibm.com/support/docview.wss?uid=swg24041904
10.2.x: http://www-01.ibm.com/support/docview.wss?uid=swg24041905

Workarounds and Mitigations

None known. Apply fixes.

Get Notified about Future Security Bulletins

Important note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2
Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: Cognos Business Intelligence

Software version: 8.4.1, 10.1, 10.1.1, 10.2, 10.2.1, 10.2.2

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 1979767

Modified date: 05 October 2016