Operating System:

[WIN][LINUX][HP-UX][Solaris][AIX]

Published:

11 December 2014

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2014.2370 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2370
Security Bulletin: A vulnerability in the Mozilla Network Security Services
         (NSS) affects IBM Cognos Metrics Manager (CVE-2014-1568)
                             11 December 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cognos Business Intelligence
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-1568  

Reference:         ASB-2014.0108
                   ASB-2014.0107
                   ESB-2014.1684
                   ESB-2014.1681
                   ESB-2014.1666
                   ESB-2014.1663

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21691656

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: A vulnerability in the Mozilla Network Security Services
(NSS) affects IBM Cognos Metrics Manager (CVE-2014-1568)

Document information

More support for:
Cognos Business Intelligence
Metrics Studio

Software version:
10.1, 10.1.1, 10.2, 10.2.1

Operating system(s):
AIX, HP Itanium, HP-UX, Linux, Solaris, Windows

Reference #:
1691656

Modified date:
2014-12-10

Security Bulletin

Summary

A Mozilla Network Security Services (NSS) was disclosed on Sep 24, 2014. NSS
is used by IBM Cognos Metrics Manager. IBM Cognos Metrics Manager has
addressed the vulnerability.

Vulnerability Details

CVEID: CVE-2014-1568
DESCRIPTION: Mozilla Network Security Services (NSS) could allow a
remote attacker to bypass security restrictions, caused by the failure
to properly parse ASN.1 values in a digital signature. An attacker could
exploit this vulnerability using a Bleichenbacher attack variant against
the RSA algorithm to forge RSA certificates and gain unauthorized access
to secure data. Note: This vulnerability also affects Google Chrome.
CVSS Base Score: 8.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96194 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:N)

Affected Products and Versions

    IBM Cognos Metrics Manager 10.2.1
    IBM Cognos Metrics Manager 10.2
    IBM Cognos Metrics Manager 10.1.1
    IBM Cognos Metrics Manager 10.1

Remediation/Fixes

The recommended solution is to apply the fix in one of the IBM Cognos
Business Intelligence 10.x interim fixes listed as soon as practical. Note
that the prerequisites named in the links are also satisfied by an IBM
Cognos Metrics Manager install of the same version.
IBM Cognos Business Intelligence 10.1.x Interim fixes
IBM Cognos Business Intelligence 10.2.x Interim fixes

Workarounds and Mitigations

None

References

Complete CVSS Guide
On-line Calculator V2

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

Original Version Published: December 10, 2014

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVIkoxhLndAQH1ShLAQJBTA/9EpwEnBd9vjWS7CVAdc0LCjN2eZlcyJ+F
Mf3HWwKplQUKZ1Ta/q0w0fA5UYFG6rbNlfeHpguRTGg2zoVDBJQwjq5FYMJHrwB1
pMgl1Y5i+u8cvA7sTUWReSxdKYJRdGFddXbbL77/Xgk2zc1Z8sCFu1LD+TV1AuUa
GgsuOyRP4ZZzuy0v27868cF3tI8E2wgEC5ERquCb2wK4sBqjquPwPX/V3/5LNojo
GyjXEXmPlHLJZJgotlEvJuQbPyKneQK5NfuvRENRCaJ5a6QNO7NJlYSo5HKxjHbW
NZruu4m8GLXRCd2TDZTsNO2Ds0gz9QpGKZjwpq+ymmfwEImU2DhsrdeTfTI65G2b
bExlvlA2qWMI4vBLl4AM3e+8tO2KCejHDFrRjRKD2kp6lEJz8ykdQ3e6ZvT0Wtce
NqJB+JSZZKCKPbsBIfMVet77YeZG2zsng3SyIDSU3BpYA/cqCZOcY9zAQwVZllfd
y9d+gSIRG4er60QnIHa74WdCYCqb96YfD/bKIgAG3nXxVkwqmbQGr2kr6KwRQ1/w
WqE8L3GqxtqO3IoIOn7h1qb27INbZOby5s692AM27hUPzf1yQYp2oNVq6BiD6IRh
CSJO4j9DJlV6s3f1CfpeLtIPCSwiu14wdMjY4eJryBLNKzTcLy3y9RHhbh98KGP4
dMkKfEoOYS8=
=Hn81
-----END PGP SIGNATURE-----