Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0223
Security Bulletin: Multiple security exposures in IBM Cognos BI Server
21 February 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Cognos Business Intelligence
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0861 CVE-2014-0854 CVE-2013-6954
CVE-2013-6732 CVE-2013-5825 CVE-2013-5802
Reference: ESB-2014.0143
ESB-2014.0132
ASB-2013.0124
ASB-2013.0113
ESB-2013.1778
ESB-2013.1777
ESB-2013.1743
ESB-2013.1696
ESB-2013.1594
ESB-2013.1593
ESB-2013.1592
ESB-2013.1577
ESB-2013.1511
ESB-2013.1499
ESB-2013.1493
ESB-2013.1480
ESB-2013.1468
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21662856
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple security exposures in IBM Cognos BI Server
(CVE-2013-6954, CVE-2013-6732, CVE-2013-5802, CVE-2013-5825, CVE-2014-0854,
CVE-2014-0861)
Security Bulletin
Document information
More support for:
Cognos Business Intelligence
Software version:
8.4.1, 10.1, 10.1.1, 10.2, 10.2.1
Operating system(s):
AIX, HP Itanium, HP-UX, Linux, Solaris, Windows
Reference #:
1662856
Modified date:
2014-02-14
Summary
IBM Cognos BI Server is affected by multiple security exposures.
Vulnerability Details
CVE ID: CVE-2013-6954
DESCRIPTION: If an attacker is able to upload a specially-crafted image to the
IBM Cognos BI Server and have the application process it, they may be able to
cause the application to crash, resulting in a Denial of Service.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89917 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
AFFECTED PLATFORMS:
REMEDIATION:
The recommended solution is to apply the fix in one of the 10.x versions
listed or in version 8.4.1 for your release version as soon as practical.
Cognos BI 10.2 IF7, Cognos BI 10.2.1 IF4 and Cognos BI 10.2.1.1 IF4 downloads
Cognos BI 10.1 IF6 and Cognos BI 10.1.1 IF5 downloads
CVE ID: CVE-2013-6732
DESCRIPTION: An unsanitized input parameter allows an attack to perform a
reflective cross-site scripting attack if he can trick a user into clicking a
link.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89394 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1
REMEDIATION:
The recommended solution is to apply the fix in one of the 10.x versions
listed or in version 8.4.1 for your release version as soon as practical.
Cognos BI 10.2 IF7, Cognos BI 10.2.1 IF4 and Cognos BI 10.2.1.1 IF4 downloads
Cognos BI 10.1 IF6 and Cognos BI 10.1.1 IF5 downloads
CVE ID: CVE-2013-5802
DESCRIPTION: If an attacker is able to upload malformed or extremely large
streams of XML data to the IBM Cognos BI Server, they may be able to cause the
application to crash, resulting in a Denial of Service..
CVSS:
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)
AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1
REMEDIATION:
The recommended solution is to apply the fix in one of the 10.x versions
listed or in version 8.4.1 for your release version as soon as practical.
Cognos BI 10.2 IF7, Cognos BI 10.2.1 IF4 and Cognos BI 10.2.1.1 IF4 downloads
Cognos BI 10.1 IF6 and Cognos BI 10.1.1 IF5 downloads
CVE ID: CVE-2013-5825
DESCRIPTION: If an attacker is able to upload malformed XML data to the IBM
Cognos BI Server, they may be able to cause the application to crash,
resulting in a Denial of Service.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)
AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1
REMEDIATION:
The recommended solution is to apply the fix in one of the 10.x versions
listed or in version 8.4.1 for your release version as soon as practical.
Cognos BI 10.2 IF7, Cognos BI 10.2.1 IF4 and Cognos BI 10.2.1.1 IF4 downloads
Cognos BI 10.1 IF6 and Cognos BI 10.1.1 IF5 downloads
CVE ID: CVE-2014-0854
DESCRIPTION: A malicious user can specify a unintended DOCTYPE in XML Posted
to the server. This can be used to echo back any file from the server that the
process running the application has access to.
CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90794 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/S:C/P:I/N:A/N)
AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1
REMEDIATION:
The recommended solution is to apply the fix in one of the 10.x versions
listed or in version 8.4.1 for your release version as soon as practical.
Cognos BI 10.2 IF7, Cognos BI 10.2.1 IF4 and Cognos BI 10.2.1.1 IF4 downloads
Cognos BI 10.1 IF6 and Cognos BI 10.1.1 IF5 downloads
CVE ID: CVE-2014-0861
DESCRIPTION: An insufficiently sanitized parameter allows an attack to craft a
URL that when an authenticated user clicks on and then proceeds to use the
applications back/return button launches a script in the context of that user.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/40682 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/N:I/P:A/N)
AFFECTED PLATFORMS:
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.1
IBM Cognos Business Intelligence Server 8.4.1
REMEDIATION:
The recommended solution is to apply the fix in one of the 10.x versions
listed or in version 8.4.1 for your release version as soon as practical.
Cognos BI 10.2 IF7, Cognos BI 10.2.1 IF4 and Cognos BI 10.2.1.1 IF4 downloads
Cognos BI 10.1 IF6 and Cognos BI 10.1.1 IF5 downloads
References:
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
14 February 2014, Original Copy Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUwasAxLndAQH1ShLAQJu/Q//TZbnVRtvJa9XYEIgGSG/ZP0flyLz8Can
dJ3nmScnk3BBaWwcuMLFy6D60nyNRPcg6l7Tc6s1aWTzcIT4Hfr0oKlEJQxxrTRZ
D4y5Je6xVQ/YX5pX422Gjj00Qr1lpJd8Pd7PXxGcttz4h1YjZsSprBXRDVled8lL
azcnnnh6yz01noxPrORjgUEfTfKfEh1GM0qj09aTtDMXtNHtBDlc9yQiexo2C8aW
QfnIoblXJwGDJHk8kEtOwJfFsxQpggJR5U7exLCKMt8a6jHRHEIpWXjAgVJcz9WX
m1u2lXdPFQWV2x6eN7rD1r8h8vOTz9VYb7zI/GlPZZtbZACfwnJr0iDQuEIudcyN
4ZJV0iBZmc54t0JRTJ2SX8XnXruVL7jc8h9MgwyriqETnqTyN49MIVlgQsVU2raL
A2ww38qyDFQNQnBGHAoFVyB/3QjrVFQcD7Q8EtHMkuZqvtk1YLqr7qaCUj4oxHBu
JfsOJ4NRRDIJJI/XBiqae6m+gkUpFiZRvBvMU/qPnzL+ptcMbb+43ejyiRTVlfw/
9iPgqsvX4N3cupUTGgjZflM3hqV7gGQwqWYUGoH16lb708Ji8PHU948mIYoArTXc
5y5o//XlawBnNS0yhsEPhiTaIhVtRnQhIi8Neipdw4X8KCorpfgWYBQpjoTEkaD/
8QPbkptQA4Y=
=By1N
-----END PGP SIGNATURE-----