-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1099
        Cognos Business Intelligence 10.2.x interim fixes address a
                          security vulnerability
                                8 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cognos Business Intelligence
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0224  

Reference:         ASB-2014.0073
                   ASB-2014.0071
                   ASB-2014.0069.2
                   ASB-2014.0068
                   ESB-2014.0888
                   ESB-2014.0887

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg24037870

- --------------------------BEGIN INCLUDED TEXT--------------------

Cognos Business Intelligence 10.2.x interim fixes address a security 
vulnerability

Document information

More support for:
Cognos Business Intelligence

Software version:
10.2, 10.2.1

Operating system(s):
AIX, HP Itanium, HP-UX, Linux, Solaris, Windows

Reference #:
4037870

Modified date:
2014-07-07

Downloadable files

Abstract

Cognos Business Intelligence interim fixes address a security vulnerability 
affecting IBM Cognos Business Intelligence 10.2, 10.2.1 and 10.2.1 Fix Pack 1

Download Description

The following interim fixes provide important product corrections related to a 
security vulnerability affecting IBM Cognos Business Intelligence 10.2, 10.2.1 
and 10.2.1 Fix Pack 1 (i.e. 10.2.1.1):

    IBM Cognos Business Intelligence 10.2 Interim Fix 9
    IBM Cognos Business Intelligence 10.2.1 Interim Fix 6
    IBM Cognos Business Intelligence 10.2.1 Fix Pack 1 Interim Fix 6

It is recommended that you apply the appropriate fix to all affected 
environments. After installing the IBM Cognos BI security updater, follow the 
instructions in Updating the IBM Cognos gateway after security kit 
installation. It is important to update the IBM Cognos BI gateway as there 
could be a potential mix of 32 bit and 64 bit libraries resulting in errors 
when accessing the gateway.

Prerequisites

These interim fixes require the following releases are installed as 
prerequisites:

Cognos BI 10.2 Interim Fix 9 (10.2.0 IF9) requires that Cognos Business 
Intelligence 10.2 is already installed.

Cognos BI 10.2.1 Interim Fix 6 (10.2.1 IF6) requires that Cognos Business 
Intelligence 10.2.1 is already installed.

Cognos BI 10.2.1 Fix Pack 1 Interim Fix 6 (10.2.1.1 IF6) requires that Cognos 
Business Intelligence 10.2.1 Fix Pack 1 (10.2.1.1) is already installed.

Installation Instructions

To download an interim fix
1. Review the prerequisites.
2. Download the appropriate compressed tar file using the links in the Download
package section.
Some browsers might change the downloaded file type from .tar.gz to a file type
not recognized by the operating system. To correct this, change the file type 
back to tar.gz. Use of Download Director will prevent inadvertent renaming of
files at download. 

To install an interim fix on Linux or UNIX

    Copy the downloaded interim fix to the appropriate operating system.
    Change to the directory where you have copied the downloaded interim fix 
    imagee
    Enter the following command: gunzip <filename> .tar.gz | tar xvf
    If you want to see the version of a component before you install it, 
    unpack the tar file to disk, or read the table of contents of the tar file.
    Follow the installation instructions in the IBM Cognos Business 
    Intelligence Installation and Configuration Guide.
    Apply the interim fix to all installations.

Note: GNU Zip can be obtained from www.gzip.org and GNU tar can be obtained 
from www.gnu.org/software/tar . 

To install an interim fix on Windows

    Change to the directory where you have downloaded the interim fix.
    Using your file compress and decompress utility, decompress the .tar.gz 
    file. If you are using WinZip, select the option "use folder names".
    If you want to see the version of a component before you install it, unpack
    the tar file to disk, or read the table of contents of the tar file.
    Follow the installation instructions in the IBM Cognos Business 
    Intelligence Installation and Configuration Guide.
    Apply the interim fix to all installations.

URL 							LANGUAGE 		SIZE(Bytes)
Cognos BI Installation and Configuration Guide 10.2 	Language Independent 	7000
Cognos BI Installation and Configuration Guide 10.2.1 	Language Independent 	7000

Download package

It is recommended that you install the latest generally available interim fix.

Problems solved

These interim fixes resolve Common Vulnerability and Exposure CVE-2014-0224.

Download 						RELEASE DATE 	LANGUAGE 		SIZE(Bytes) 	Download Options
What is Fix Central (FC)?
Cognos BI Server 64-bit 10.2 IF9 AIX 			04 Jul 2014 	Language Independent 	75810000 	FC
Cognos BI Server 64-bit 10.2 IF9 HP-UX Itanium 		04 Jul 2014 	Language Independent 	87680000 	FC
Cognos BI Server 64-bit 10.2 IF9 Linux pSeries 		04 Jul 2014 	Language Independent 	52570000 	FC
Cognos BI Server 64-bit 10.2 IF9 Linux x86 		04 Jul 2014 	Language Independent 	56510000 	FC
Cognos BI Server 64-bit 10.2 IF9 Linux zSeries 		04 Jul 2014 	Language Independent 	55460000 	FC
Cognos BI Server 64-bit 10.2 IF9 Solaris 		04 Jul 2014 	Language Independent 	64480000 	FC
Cognos BI Server 32-bit 10.2 IF9 Windows 		04 Jul 2014 	Language Independent 	46680000 	FC
Cognos BI Server 64-bit 10.2 IF9 Windows 		04 Jul 2014 	Language Independent 	52900000 	FC
Cognos BI Server 64-bit 10.2.1 IF6 AIX 			04 Jul 2014 	Language Independent 	80680000 	FC
Cognos BI Server 64-bit 10.2.1 IF6 HP-UX Itanium 	04 Jul 2014 	Language Independent 	92590000 	FC
Cognos BI Server 64-bit 10.2.1 IF6 Linux pSeries 	04 Jul 2014 	Language Independent 	57500000 	FC
Cognos BI Server 64-bit 10.2.1 IF6 Linux x86 		04 Jul 2014 	Language Independent 	61420000 	FC
Cognos BI Server 64-bit 10.2.1 IF6 Linux zSeries 	04 Jul 2014 	Language Independent 	60540000 	FC
Cognos BI Server 64-bit 10.2.1 IF6 Solaris 		04 Jul 2014 	Language Independent 	69530000 	FC
Cognos BI Server 32-bit 10.2.1 IF6 Windows 		04 Jul 2014 	Language Independent 	54370000 	FC
Cognos BI Server 64-bit 10.2.1 IF6 Windows 		04 Jul 2014 	Language Independent 	60890000 	FC
Cognos BI Server 64-bit 10.2.1.1 IF6 AIX 		04 Jul 2014 	Language Independent 	103820000 	FC
Cognos BI Server 64-bit 10.2.1.1 IF6 HP-UX Itanium 	04 Jul 2014 	Language Independent 	107290000 	FC
Cognos BI Server 64-bit 10.2.1.1 IF6 Linux pSeries 	04 Jul 2014 	Language Independent 	69170000 	FC
Cognos BI Server 64-bit 10.2.1.1 IF6 Linux x86 		04 Jul 2014 	Language Independent 	133890000 	FC
Cognos BI Server 64-bit 10.2.1.1 IF6 Linux zSeries 	04 Jul 2014 	Language Independent 	72540000 	FC
Cognos BI Server 64-bit 10.2.1.1 IF6 Solaris 		04 Jul 2014 	Language Independent 	85170000 	FC
Cognos BI Server 32-bit 10.2.1.1 IF6 Windows 		04 Jul 2014 	Language Independent 	127840000 	FC
Cognos BI Server 64-bit 10.2.1.1 IF6 Windows 		04 Jul 2014 	Language Independent 	137350000 	FC

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU7uBMBLndAQH1ShLAQJCBg//RzFPhraCMqVPd4Qbe40q9Geayw0YAg5f
tB0sxarE7b6+Y0b1xEozGwztJ92AeB4KMer8TSdz9B//Pd4KPYHn/c38JwAZpjna
J1kbTRbYgssmdb0h/Ywpo+BKhDm5Z1yKKSt/iP7thGZaw9SRrPPVH99KQ9P92mOB
qevYYPxwA7xvwVeJ3arpTW34Ci2aMu/bg1eCjRCq96dFl+MkZepD60QZBmzIiyxU
U7bdycvQXMhID7PsbS8b6aBIolfWOW9VGKkjQ0VYB9Hj8dlsqE5LLe1i2deev9Tr
+JIVCD598VWFeoO4ASxS69Jb8WYsUkFDenVZLdMAB9qWt8B6wkrwM2/VnK+92r3n
L+XRRSPNV/SMbQMnQJqZhzA/GVAKpaGuegCxrHjJ+H9goTf+sygoAu2q2VkIZW7J
4/KLSqY8miUtPY1ZC1sJcu5Chre6rObumYKnIXU1KS5j/IxohZJ6oliScIw9Kxxm
kyLn7bk68XWs51pbpXwGM/wDzQKGZdSUwsMfM/lB6C9uRJtsxI/Jave5PX7+n8oU
BxJRZUqJLFIjCiPK8dzcr+WpmKPy5OfkX0sIKi6fBUpxAgAuAOAJhclzRgabgY9F
lTQjfLsy94aWSFoGBWXfjZNHkks6SHD/rv8hTPTBAVF/nAGgGVL5ErvSrEwXtTbQ
gQN8TgxHa1k=
=D/g5
-----END PGP SIGNATURE-----