-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1167
    Multiple security exposures in IBM Cognos BI Server (CVE-2013-2988,
        CVE-2013-2978, CVE-2013-1557, CVE-2013-0586, CVE-2013-1478)
                              28 August 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cognos Business Intelligence Server
Publisher:         IBM
Operating System:  AIX
                   HP Itanium
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Unauthorised Access             -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-2988 CVE-2013-2978 CVE-2013-1557
                   CVE-2013-1478 CVE-2013-0586 

Reference:         ASB-2013.0058
                   ASB-2013.0013
                   ESB-2013.1082
                   ESB-2013.1081
                   ESB-2013.1077
                   ESB-2013.0986
                   ESB-2013.0935
                   ESB-2013.0915
                   ESB-2013.0846
                   ESB-2013.0820
                   ESB-2013.0646
                   ESB-2013.0642
                   ESB-2013.0636
                   ESB-2013.0629
                   ESB-2013.0496
                   ESB-2013.0483
                   ESB-2013.0404
                   ESB-2013.0401

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21645566

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple security exposures in IBM Cognos BI Server (CVE-2013-2988, 
CVE-2013-2978, CVE-2013-1557, CVE-2013-0586, CVE-2013-1478)

Flash (Alert)

Document information

Cognos Business Intelligence

Software version:
10.2.1

Operating system(s):
AIX, HP Itanium, HP-UX, Linux, Solaris, Windows

Reference #:
1645566

Modified date:
2013-08-21

Abstract

IBM Cognos BI Server is affected by multiple security exposures.

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2013-2988

DESCRIPTION:
Inadequate access control: A malicious user may be able to download files 
from the server that they are not intended to have access to.
The attacker must be an authenticated user with Report Author privileges 
and must know the exact path and filename of the file attempting to be 
accessed.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84010 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1

REMEDIATION:
The recommended solution is to apply the fixes listed at 
http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or 
http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for 
your release version as soon as practical. 

CVE ID: CVE-2013-2978

DESCRIPTION:
Inadequate access control: A malicious user may be able to download files 
from the server that they are not intended to have access to.
The attacker must be an authenticated user with Report Author privileges 
and must know the exact path and filename of the file attempting to be 
accessed.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83971 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1

REMEDIATION:
The recommended solution is to apply the fixes listed at 
http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or 
http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for 
your release version as soon as practical. 

CVE ID: CVE-2013-1557

DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to RMI could allow 
a remote attacker to execute arbitrary code on the system.

CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83572 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1

REMEDIATION:
The recommended solution is to apply the fixes listed at 
http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or 
http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for 
your release version as soon as practical. 

CVE ID: CVE-2013-0586

DESCRIPTION:
Reflective cross-site scripting (XSS) due to inadequate input validation. 
An attacker who can trick a legitimate user into clicking on a link the 
attacker creates may be able to execute scripts of their choosing. This 
would allow the attacker to perform actions in the context of the user.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83380 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1

REMEDIATION:
The recommended solution is to apply the fixes listed at 
http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or 
http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for 
your release version as soon as practical.

ACKNOWLEDGEMENT:
The vulnerability was discovered by Oren Ofer of Hacktics Advanced 
Security Center at Ernst & Young. 

CVE ID: CVE-2013-1478

DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component 
allows remote attackers to affect confidentiality, integrity, and 
availability via unknown vectors related to 2D.

CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81754
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1

REMEDIATION:
The recommended solution is to apply the fixes listed at 
http://www.ibm.com/support/docview.wss?uid=swg24035222 (10.x versions) or 
http://www.ibm.com/support/docview.wss?uid=swg24035585 (version 8.4.1) for 
your release version as soon as practical. 

REFERENCES:

Complete CVSS Guide
On-line Calculator V2

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the 
impact of this vulnerability in their environments by accessing the links 
in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams 
(FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry 
open standard designed to convey vulnerability severity and help to 
determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES 
"AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE 
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY 
VULNERABILITY.

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business 
Machines Corp., registered in many jurisdictions worldwide. Other product 
and service names might be trademarks of IBM or other companies. A current 
list of IBM trademarks is available on the Web at "Copyright and trademark 
information" at www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUh2GOxLndAQH1ShLAQKOVg/9F3dDaB/vvqA9xLI4z0tWMJdjvpYB0wez
uhscUVEfiiRx7TgndCJqJZdBOFe9Sv6BS2hsQE/QUCrA/mhO3fRiCzAonmOKiQcP
2uAMUTC+U+s04fQ6mIOpv0uiZBvHvUH4WSBU0XxbjbZ4UFEJaHe01s9ME3fAS53T
zuwt/HfXe3KFhHuezwLdV0OSAP394nNZupHCSfnG0kS02RG5uaETFak+G0RrhWze
imczG5wLph+yVVui5ROWBAwu9ifKstMXpUDO6oJJQu+3dLt/nobn75pBETx9WtT2
yMdMlx29/kGOGqzXYQee25vfuZCsBxVk3XP0lPL5HFnclkc5E/5TaKFQqvToU4k3
mQizXhJd7ykGODMEa4IyFA1UYiaxIyqI5O/R9aJKMrsOE17BTk7a43Fv3tZQgLAI
4PPV8mGxxC9/UQcklpM/ZnEJvqkVrR4OtfA0fWToLJ8XKJrwEOLeV6JFoBTeWd2/
12BHptLbPSHIaT989+psTTmQYqH6Xfvs/qFZnFXAao54uKNEUH562t1fs5YwqU94
5Ys9Z73kCGvecRUFEK1BsleWidyOJcLqb8s9audpgiwFALfP68BUzo73FoEZzAG1
/ZFcfaP0R8WZ+SDNXvss8xlKelEfU70GsnTbYwBOENloxxMTfe6x5wGR13O11JQz
nf0UFNCHONo=
=qnRd
-----END PGP SIGNATURE-----