Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2046
IBM Cognos Express is affected by Multiple vulnerabilities
4 November 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Cognos Express
Publisher: IBM
Operating System: Windows
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Create Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0878 CVE-2014-0863 CVE-2014-0460
CVE-2014-0423 CVE-2014-0416 CVE-2014-0411
CVE-2014-0224 CVE-2014-0107 CVE-2013-4322
CVE-2012-3544
Reference: ASB-2014.0121
ASB-2014.0092
ASB-2014.0077
ASB-2014.0005
ESB-2014.1948
ESB-2014.1753
ESB-2014.1385
ESB-2014.1338
ESB-2014.1134
ESB-2014.1118
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21687622
http://www-01.ibm.com/support/docview.wss?uid=swg21687629
http://www-01.ibm.com/support/docview.wss?uid=swg21687632
http://www-01.ibm.com/support/docview.wss?uid=swg21687639
http://www-01.ibm.com/support/docview.wss?uid=swg21687640
http://www-01.ibm.com/support/docview.wss?uid=swg21687642
Comment: This bulletin contains six (6) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Cognos Express is affected by the following
vulnerability: CVE-2014-0863
Document information
More support for:
Cognos Express
Software version:
9.5, 10.1, 10.2.1
Operating system(s):
Windows
Software edition:
All Editions
Reference #:
1687622
Modified date:
2014-11-03
Security Bulletin
Summary
A security vulnerability has been discovered in IBM Cognos Express resulting
in unencrypted passwords found in memory on client.
Vulnerability Details
CVE-ID: CVE-2014-0863
CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90937 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
An obfuscated password in the Cognos Express Xclerator application can be
retrieved. Testers were able to use a security tool to obtain the password for
a database user.
Affected Products and Versions
IBM Cognos Express 9.5
IBM Cognos Express 10.1
IBM Cognos Express 10.2.1
Remediation/Fixes
The recommended solution is to apply the fix in one of the IBM Cognos Express
versions listed as soon as practical:
IBM Cognos Express 10.1 FP1 Interim Fix 6
IBM Cognos Express 10.2.1 FP2
If you are unable to upgrade from IBM Cognos Express 9.5 to IBM Cognos Express
10.2.1 FP2 , please contact IBM Customer Support.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
November 3, 2014 (Original Version Published)
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ----------------------------------------------------------------------------
Security Bulletin: IBM Cognos Express is affected by the following Tomcat
vulnerability: CVE-2013-4322
Document information
More support for:
Cognos Express
Software version:
9.5, 10.1, 10.2.1
Operating system(s):
Windows
Software edition:
All Editions
Reference #:
1687629
Modified date:
2014-11-03
Security Bulletin
Summary
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10
processes chunked transfer coding without properly handling (1) a large total
amount of chunked data or (2) whitespace characters in an HTTP header value
within a trailer field, which allows remote attackers to cause a denial of
service by streaming data.
NOTE: this vulnerability exists because of an incomplete fix for
CVE-2012-3544.
Vulnerability Details
CVE ID: CVE-2013-4322
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91625 for the
current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
IBM Cognos Express 9.5
IBM Cognos Express 10.1
IBM Cognos Express 10.2.1
Remediation/Fixes
The recommended solution is to apply the fix in one of the IBM Cognos Express
versions listed as soon as practical:
IBM Cognos Express 10.1 FP1 Interim Fix 6
IBM Cognos Express 10.2.1 FP2
If you are unable to upgrade from IBM Cognos Express 9.5 to IBM Cognos Express
10.2.1 FP2 , please contact IBM Customer Support.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
November 3, 2014 (Original Version Published)
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ----------------------------------------------------------------------------
Security Bulletin: IBM Cognos Express is affected by the following
vulnerabilities: CVE-2014-0416, CVE-2014-0411, CVE-2014-0423
Document information
More support for:
Cognos Express
Software version:
9.5, 10.1, 10.2.1
Operating system(s):
Windows
Software edition:
All Editions
Reference #:
1687632
Modified date:
2014-11-03
Security Bulletin
Summary
IBM Cognos Express is affected by multiple security exposures identified in
the January 2014 IBM Java Quarterly CPU report.
Vulnerability Details
CVE ID: CVE-2014-0416
DESCRIPTION: javax.security.auth.Subject is serializable but does not validate
deserialized data properly. Malicious code could exploit this to construct an
invalid Subject instance with content that differs from the advertised
properties. In addition, if a server deserializes serialized data from
untrusted sources, an attacker could insert an invalid instance of Subject
class into a server Java process.
The fix ensures that serialized instances of Subject are deserialized
correctly and safely.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90349 for the
current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-0411
DESCRIPTION: Timing differences based on the validity of messages can be
exploited to decrypt the entire session. The exploit is not trivial, requiring
a man-in-the-middle position and a
long time (around 20 hours). The fix eliminates the timing differences.
CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVE ID: CVE-2014-0423
DESCRIPTION: The DocumentHandler used by the java.beans.XMLDecoder
implementation allows the use of external entities by default. This
facilitates a variety of attacks via malicious XML data. The fix ensures that
external entities are ignored by java.beans.XMLDecoder
CVSS:
CVSS Base Score: 5.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90340 for the
current score.
CVSS Environmental Score*: Undefined
Affected Products and Versions
IBM Cognos Express 9.5
IBM Cognos Express 10.1
IBM Cognos Express 10.2.1
Remediation/Fixes
The recommended solution is to apply the fix in one of the IBM Cognos Express
versions listed as soon as practical:
IBM Cognos Express 10.1 FP1 Interim Fix 6
IBM Cognos Express 10.2.1 FP2
If you are unable to upgrade from IBM Cognos Express 9.5 to IBM Cognos Express
10.2.1 FP2 , please contact IBM Customer Support.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
November 3, 2014 (Original Version Published)
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ----------------------------------------------------------------------------
Security Bulletin: IBM Cognos Express is affected by the following
vulnerability: CVE-2014-0107
Document information
More support for:
Cognos Express
Software version:
9.5, 10.1, 10.2.1
Operating system(s):
Windows
Software edition:
All Editions
Reference #:
1687639
Modified date:
2014-11-03
Security Bulletin
Summary
A security vulnerability has been discovered in Open Source Apache Xalan-Java
reported in April reported in the April X-Force Report.
Vulnerability Details
CVE-ID: CVE-2014-0107
DESCRIPTION: Apache Xalan-Java could allow a remote attacker to bypass
security restrictions, caused by the improper handling of output properties.
An attacker could exploit this vulnerability to bypass the secure processing
feature to load arbitrary restricted classes.
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92023 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Affected Products and Versions
IBM Cognos Express 9.5
IBM Cognos Express 10.1
IBM Cognos Express 10.2.1
Remediation/Fixes
The recommended solution is to apply the fix in one of the IBM Cognos Express
versions listed as soon as practical:
IBM Cognos Express 10.1 FP1 Interim Fix 6
IBM Cognos Express 10.2.1 FP2
If you are unable to upgrade from IBM Cognos Express 9.5 to IBM Cognos Express
10.2.1 FP2 , please contact IBM Customer Support.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
November 3, 2014 (Original Version Published)
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ----------------------------------------------------------------------------
Security Bulletin: IBM Cognos Express is affected by the following OpenSSL
vulnerabilities: CVE-2014-0224
Document information
More support for:
Cognos Express
Software version:
9.5, 10.1, 10.2.1
Operating system(s):
Windows
Software edition:
All Editions
Reference #:
1687640
Modified date:
2014-11-03
Security Bulletin
Summary
Security vulnerabilities have been discovered in OpenSSL that were reported on
June 5, 2014 by the OpenSSL Project.
Vulnerability Details
CVE-ID: CVE-2014-0224
DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused by
the use of weak keying material in SSL/TLS clients and servers. A remote
attacker could exploit this vulnerability using a specially-crafted handshake
to conduct man-in-the-middle attacks to decrypt and modify traffic.
CVSS:
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93586 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Affected Products and Versions
IBM Cognos Express 9.5
IBM Cognos Express 10.1
IBM Cognos Express 10.2.1
Remediation/Fixes
The recommended solution is to apply the fix in one of the IBM Cognos Express
versions listed as soon as practical:
IBM Cognos Express 10.1 FP1 Interim Fix 6
IBM Cognos Express 10.2.1 FP2
If you are unable to upgrade from IBM Cognos Express 9.5 to IBM Cognos Express
10.2.1 FP2 , please contact IBM Customer Support.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
November 3, 2014 (Original Version Published)
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ----------------------------------------------------------------------------
Security Bulletin: IBM Cognos Express is affected by the following
vulnerabilities: CVE-2014-0878, CVE-2014-0460
Document information
More support for:
Cognos Express
Software version:
9.5, 10.1, 10.2.1
Operating system(s):
Windows
Software edition:
All Editions
Reference #:
1687642
Modified date:
2014-11-03
Security Bulletin
Summary
Security vulnerabilities have been discovered in the IBM JRE that were
disclosed in the Oracle April 2014 Critical Patch Update.
Vulnerability Details
CVE-ID: CVE-2014-0878
DESCRIPTION: A vulnerability in the IBMSecureRandom implementation of the
IBMJCE and IBMSecureRandom cryptographic providers potentially allows an
attacker to predict the output of the random number generator under certain
circumstances.
CVSS:
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91084 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE-ID: CVE-2014-0460
DESCRIPTION: An unspecified vulnerability related to the JNDI component has
partial confidentiality impact, partial integrity impact, and no availability
impact.
CVSS:
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92482 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Affected Products and Versions
IBM Cognos Express 9.5
IBM Cognos Express 10.1
IBM Cognos Express 10.2.1
Remediation/Fixes
The recommended solution is to apply the fix in one of the IBM Cognos Express
versions listed as soon as practical:
IBM Cognos Express 10.1 FP1 Interim Fix 6
IBM Cognos Express 10.2.1 FP2
If you are unable to upgrade from IBM Cognos Express 9.5 to IBM Cognos Express
10.2.1 FP2 , please contact IBM Customer Support.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
November 3, 2014 (Original Version Published)
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVFhXzhLndAQH1ShLAQLEBw//Qn3KFbple9FjaYavuilXgQdkekWofs7t
uUsD6K/m+H8uKm/aRiAA3/9QCKEPRB+kperqwO/DVIQCzhYV5gHYALap4N1Zlzny
tx2Ty8SWRETRp52oHkRkwSFjCqcqy/Hh+KoiTZIqjyupU97RHZFQwvD+v/HEpsEQ
d+j+2VDKDrEU07BVeUV+bCYpl9uZIsnZF45nX57rbOEgk6LWpne0EQfRo0yC9Ja0
l3KZ6XUrIxHpA3hh+g0OHfAo1/ZllcQ1YTaHY+/X9KBqOztW4W2BDzjbP/xQUN0D
/YfCY9QCRosnkcx4iF1QhtmFdhswj07tn8O8t7XX9vefuJ/v1w26s2NC5GPZ8Hzk
CpAWdxePFatKEV0ItJ8ubNwbEojPI6qpKhO3R43efIAt88psLVsLjAw89g6ZeuKF
Ugh5vujNt7xyy9zTRDbp0J4oriSJzJPO9SP8P8ydP8JSHGjP39//FyLdgCPffy0l
PiRTLMLVlym2n/6AzbpDBk0Tbnecg+q+crcTsekZHFQAsUyb7Tz3zkEFjli9U4r8
9pUpRGg4eNr4uF5ud904BMXlA31Tcs85aeo354vwz7v0zdmwPWr64wOVZVSAoHcD
Ptc7f/PJDt+K9EOAfUwunf8X8zT/AKvam9xoSEiSXJNAj1L9KyuXFz3cKMCL9mQd
PvQEZX+wopM=
=igfL
-----END PGP SIGNATURE-----