Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0322
Security Bulletin: Multiple vulnerabilities in IBM Cognos BI 8.4.1,10.1,
10.1.1 and 10.2 (CVE-2011-3026, CVE-2011-4858, CVE-2012-0498,
CVE-2012-2177, CVE-2012-2193, CVE-2012-4835, CVE-2012-4836, CVE-2012-4837,
CVE-2012-4840, CVE-2012-4858, CVE-2012-5081)
5 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Cognos Business Intelligence
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Access Privileged Data -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5081 CVE-2012-4858 CVE-2012-4840
CVE-2012-4837 CVE-2012-4836 CVE-2012-4835
CVE-2012-2193 CVE-2012-2177 CVE-2012-0498
CVE-2011-4858 CVE-2011-3026
Reference: ASB-2012.0144
ASB-2012.0143
ASB-2012.0060
ASB-2012.0027
ASB-2012.0025
ESB-2012.0190
ESB-2012.0132
ESB-2012.0116
ASB-2012.0024.2
ESB-2012.0143.2
Original Bulletin:
https://www-304.ibm.com/support/docview.wss?uid=swg21626697
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in IBM Cognos BI 8.4.1,10.1,
10.1.1 and 10.2 (CVE-2011-3026, CVE-2011-4858, CVE-2012-0498, CVE-2012-2177,
CVE-2012-2193, CVE-2012-4835, CVE-2012-4836, CVE-2012-4837, CVE-2012-4840,
CVE-2012-4858, CVE-2012-5081)
Document information
Cognos Business Intelligence
Security
Software version:
8.4.1, 10.1, 10.1.1, 10.2
Operating system(s):
AIX, HP Itanium, HP-UX, Linux, Solaris, Windows
Reference #:
1626697
Modified date:
2013-02-27
Abstract
Several security vulnerabilities have been identified in IBM Cognos BI which
may allowing remote attackers to:
- - Cause a denial of service condition via excessive CPU consumption,
- - Inject arbitrary JavaScript code into the victim's web browser,
- - Download arbitrary XML files from the server,
- - Call any registered XPath extension functions,
- - Execute arbitrary code via buffer overflow.
Content
VULNERABILITY DETAILS:
CVE ID: CVE-2011-3026
DESCRIPTION: The libpng graphic library is bundled with IBM Cognos BI. This
vulnerability allows malicious users to overflow a buffer and execute
arbitrary code on the server or cause the server to crash by requesting IBM
Cognos BI to render a specifically crafted PNG image.
CVSS:
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73240 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
AFFECTED PLATFORMS:
All supported platforms.
REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure
Workaround(s):
None known, apply fixes
Mitigation(s):
None known
CVE ID: CVE-2011-4858
DESCRIPTION: Apache Tomcat is bundled with IBM Cognos BI. This Tomcat
vulnerability allows remote attackers to cause a denial of service (CPU
consumption) by sending a maliciously crafted HTTP request to the Cognos
gateway.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72016 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED PLATFORMS:
All supported platforms.
REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure
Workaround(s):
None known, apply fixes
Mitigation(s):
None known
CVE ID: CVE-2012-0498
DESCRIPTION: The Java Runtime Environment is bundled with IBM Cognos BI. This
vulnerability allows malicious users to affect confidentiality, integrity, and
availability by requesting IBM Cognos BI to render a specifically crafted
image.
CVSS:
CVSS Base Score: 10
The CVSS base score represents the maximum CVSS base score assigned by X-Force
for the vulnerabilities identified in this advisory.
AFFECTED PLATFORMS:
All supported Windows platforms for IBM Cognos BI.
REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure
Workaround(s) :
None known, apply fixes
Mitigation(s):
A patched version of the Java Runtime Environment (JRE) can be installed
independently, and IBM Cognos BI can be configured to be run with the patched
version of the JRE.
CVE ID: CVE-2012-2177
DESCRIPTION: IBM Cognos BI has a reflected cross-site scripting vulnerability
requiring additional user interaction. The victim has to click a malicious
link and then click an additional link on the rendered Web page. The
attacker's JavaScript code is executed in the context of the victim's web
browser.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75400 for the
current score
CVSS Environmental Score*: Undefined
AFFECTED PLATFORMS:
All supported platforms.
REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure
Workaround(s):
None known, apply fixes
Mitigation(s):
You can configure IBM Cognos BI 10.1 and above to use the httpOnly attribute
for the session cookie. That would prevent the attacker from stealing the
session id.
CVE ID: CVE-2012-2193
DESCRIPTION: IBM Cognos BI has a reflected cross-site scripting vulnerability
requiring additional user interaction. The victim has to click a malicious
link and then click an additional link on the rendered Web page. The
attacker's JavaScript code is executed in the context of the victim's web
browser.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76098 for the
current score
CVSS Environmental Score*: Undefined
AFFECTED PLATFORMS:
All supported platforms.
REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure
Workaround(s):
None known, apply fixes
Mitigation(s):
You can configure IBM Cognos BI to use the httpOnly attribute for the session
cookie. That would prevent the attacker from stealing the session id.
CVE ID: CVE-2012-4835
DESCRIPTION: IBM Cognos BI has a reflected cross-site scripting vulnerability.
The victim has to click a malicious link. The attacker's JavaScript code is
executed in the context of the victim's web browser.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78917 for the
current score
CVSS Environmental Score*: Undefined
AFFECTED PLATFORMS:
All supported platforms.
REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure
Workaround(s):
None known, apply fixes
Mitigation(s):
Configuring IBM Cognos BI 10.1 and above to use the httpOnly attribute for the
session cookie helps prevent the attacker from stealing a users session id.
CVE ID: CVE-2012-4836
DESCRIPTION: IBM Cognos BI is vulnerable to stored cross-site scripting,
caused by improper validation of user-supplied input. A remote attacker could
exploit this vulnerability to inject malicious script into a Web page which
would be executed in a victim's Web browser within the security context of the
hosting Web site, once the page is viewed.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78918 for the
current score
CVSS Environmental Score*: Undefined
AFFECTED PLATFORMS:
All supported platforms.
REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure
Workaround(s):
None known, apply fixes
Mitigation(s):
You can configure IBM Cognos BI 10.1 and above to use the httpOnly attribute
for the session cookie. That would prevent the attacker from stealing the
session id.
CVE ID: CVE-2012-4837
DESCRIPTION: IBM Cognos BI is vulnerable to XPath injection, caused by the
improper validation of input prior to using it in a XPath (XML Path Language)
query. By injecting arbitrary XPath code, a malicious user could exploit this
vulnerability to read arbitrary XML files.
CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78919 for the
current score
CVSS Environmental Score*: Undefined
AFFECTED PLATFORMS:
All supported platforms.
REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure
Workaround(s):
None known, apply fixes
Mitigation(s):
None known
CVE ID: CVE-2012-4840
DESCRIPTION: IBM Cognos BI is vulnerable to XPath injection, caused by the
improper validation of input prior to using it in a XPath (XML Path Language)
query. By injecting arbitrary XPath code, a remote unauthenticated attacker
could call any registered XPath extension function.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79116 for the
current score
CVSS Environmental Score*: Undefined
AFFECTED PLATFORMS:
All supported platforms.
REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure
Workaround(s):
None known, apply fixes
Mitigation(s):
None known
CVE ID: CVE-2012-4858
DESCRIPTION: IBM Cognos BI is vulnerable to a remote OS command injection due
to missing validation of untrusted Java serialized input.
CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79801 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
AFFECTED PLATFORMS:
All supported platforms.
REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure
Workaround(s):
None known, apply fixes
Mitigation(s):
None known
CVE ID: CVE-2012-5081
DESCRIPTION: The Java Runtime Environment is bundled with IBM Cognos BI. This
vulnerability allows malicious users to affect availability.
CVSS:
CVSS Base Score: 5
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED PLATFORMS:
All supported Windows platforms for IBM Cognos BI.
REMEDIATION:
Apply Cognos Business Intelligence Interim Fixes for Security Exposure
Workaround(s):
None known, apply fixes
Mitigation(s):
A patched version of the Java Runtime Environment (JRE) can be installed
independently, and IBM Cognos BI can be configured to be run with the patched
version of the JRE.
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2011-4858
CVE-2012-0498
CVE-2012-2177
CVE-2012-2193
CVE-2012-4835
CVE-2012-4836
CVE-2012-4837
CVE-2012-4840
CVE-2012-4858
CVE-2012-5081
Enabling the HTTPOnly parameter
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
CHANGE HISTORY:
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUTWYde4yVqjM2NGpAQL0Cg//Wa3v+0k9m9IcbnpYUZzm3DwG3wm36ITA
G6HIFNNrrJxSbbIONSANLLP1+Geb/8WBA/uc8nrV1RcoNdalSvqaS4gfwpgz+Ah9
/Nw05PUv7AB6tGRP/4KTJpCmhXxNrSWiN9Ko2qKdvYKJycKwN+S+Y+Zr176IfP/g
ufsRqtxkP4KZ+Xo6sUTfsAHrUUrZyKksFITO5+Jv88z16oG2xjU4uXg1RdW1uZA8
VCRQpPlRBAvQvBFvhEhkJL/uSNNv0PhZhRQL9zgSSP67htG8pRwiuhzptCFIDmvk
G3gVl/ogwIO/gy89wkguVSchxGSxj4CMvfxEQCR7KVw5Dfsu7NTmOaF6cq5MsuYN
kB/ZgYYoYUJSzA9TxC4f/8O6U/db8wQxAZZg4b5hTfwOpueoJV5PJqTcIydNFpIu
vm0tubjcrUnu57xRPcbUzrarMgh1JWCxA2jaAIQJTqJygjbTIN42ZlvjaCtzXYkE
bHXwHTJXkdGg9LKsyO8S+lhpfrIBBPIrvUnxY3yM2W5lqA1zP32ogx6w6wQq0NgV
qduSGMDOsogBu77yRSDJhbUS8T+qN+Hi1PUOQrgWlpnjprdSx0N8soBNYoFQ952L
QLu727CceRUhMDocm6aEpl4wcbZFOBWkGMZE/w+tG8a49xwz4XoDNrByVSL/RrpK
033KU6Gwuqg=
=t+4d
-----END PGP SIGNATURE-----