Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1167
Multiple security exposures in IBM Cognos BI Server (CVE-2013-2988,
CVE-2013-2978, CVE-2013-1557, CVE-2013-0586, CVE-2013-1478)
28 August 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Cognos Business Intelligence Server
Publisher: IBM
Operating System: AIX
HP Itanium
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2988 CVE-2013-2978 CVE-2013-1557
CVE-2013-1478 CVE-2013-0586
Reference: ASB-2013.0058
ASB-2013.0013
ESB-2013.1082
ESB-2013.1081
ESB-2013.1077
ESB-2013.0986
ESB-2013.0935
ESB-2013.0915
ESB-2013.0846
ESB-2013.0820
ESB-2013.0646
ESB-2013.0642
ESB-2013.0636
ESB-2013.0629
ESB-2013.0496
ESB-2013.0483
ESB-2013.0404
ESB-2013.0401
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21645566
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple security exposures in IBM Cognos BI Server (CVE-2013-2988,
CVE-2013-2978, CVE-2013-1557, CVE-2013-0586, CVE-2013-1478)
Flash (Alert)
Document information
Cognos Business Intelligence
Software version:
10.2.1
Operating system(s):
AIX, HP Itanium, HP-UX, Linux, Solaris, Windows
Reference #:
1645566
Modified date:
2013-08-21
Abstract
IBM Cognos BI Server is affected by multiple security exposures.
Content
VULNERABILITY DETAILS:
CVE ID: CVE-2013-2988
DESCRIPTION:
Inadequate access control: A malicious user may be able to download files
from the server that they are not intended to have access to.
The attacker must be an authenticated user with Report Author privileges
and must know the exact path and filename of the file attempting to be
accessed.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84010 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1
REMEDIATION:
The recommended solution is to apply the fixes listed at
http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or
http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for
your release version as soon as practical.
CVE ID: CVE-2013-2978
DESCRIPTION:
Inadequate access control: A malicious user may be able to download files
from the server that they are not intended to have access to.
The attacker must be an authenticated user with Report Author privileges
and must know the exact path and filename of the file attempting to be
accessed.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83971 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1
REMEDIATION:
The recommended solution is to apply the fixes listed at
http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or
http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for
your release version as soon as practical.
CVE ID: CVE-2013-1557
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to RMI could allow
a remote attacker to execute arbitrary code on the system.
CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83572 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1
REMEDIATION:
The recommended solution is to apply the fixes listed at
http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or
http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for
your release version as soon as practical.
CVE ID: CVE-2013-0586
DESCRIPTION:
Reflective cross-site scripting (XSS) due to inadequate input validation.
An attacker who can trick a legitimate user into clicking on a link the
attacker creates may be able to execute scripts of their choosing. This
would allow the attacker to perform actions in the context of the user.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83380 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)
AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1
REMEDIATION:
The recommended solution is to apply the fixes listed at
http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or
http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for
your release version as soon as practical.
ACKNOWLEDGEMENT:
The vulnerability was discovered by Oren Ofer of Hacktics Advanced
Security Center at Ernst & Young.
CVE ID: CVE-2013-1478
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component
allows remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to 2D.
CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81754
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1
REMEDIATION:
The recommended solution is to apply the fixes listed at
http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or
http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for
your release version as soon as practical.
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the links
in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams
(FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry
open standard designed to convey vulnerability severity and help to
determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES
"AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
VULNERABILITY.
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product
and service names might be trademarks of IBM or other companies. A current
list of IBM trademarks is available on the Web at "Copyright and trademark
information" at www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUh2GOxLndAQH1ShLAQKOVg/9F3dDaB/vvqA9xLI4z0tWMJdjvpYB0wez
uhscUVEfiiRx7TgndCJqJZdBOFe9Sv6BS2hsQE/QUCrA/mhO3fRiCzAonmOKiQcP
2uAMUTC+U+s04fQ6mIOpv0uiZBvHvUH4WSBU0XxbjbZ4UFEJaHe01s9ME3fAS53T
zuwt/HfXe3KFhHuezwLdV0OSAP394nNZupHCSfnG0kS02RG5uaETFak+G0RrhWze
imczG5wLph+yVVui5ROWBAwu9ifKstMXpUDO6oJJQu+3dLt/nobn75pBETx9WtT2
yMdMlx29/kGOGqzXYQee25vfuZCsBxVk3XP0lPL5HFnclkc5E/5TaKFQqvToU4k3
mQizXhJd7ykGODMEa4IyFA1UYiaxIyqI5O/R9aJKMrsOE17BTk7a43Fv3tZQgLAI
4PPV8mGxxC9/UQcklpM/ZnEJvqkVrR4OtfA0fWToLJ8XKJrwEOLeV6JFoBTeWd2/
12BHptLbPSHIaT989+psTTmQYqH6Xfvs/qFZnFXAao54uKNEUH562t1fs5YwqU94
5Ys9Z73kCGvecRUFEK1BsleWidyOJcLqb8s9audpgiwFALfP68BUzo73FoEZzAG1
/ZFcfaP0R8WZ+SDNXvss8xlKelEfU70GsnTbYwBOENloxxMTfe6x5wGR13O11JQz
nf0UFNCHONo=
=qnRd
-----END PGP SIGNATURE-----