Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.0582 Multiple vulnerabilities have been identified in IBM Cognos Business Intelligence 6 March 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Cognos Business Intelligence Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows z/OS Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-9985 CVE-2016-8960 CVE-2016-8735 CVE-2016-6816 CVE-2016-6797 CVE-2016-6796 CVE-2016-6794 CVE-2016-5983 CVE-2016-5388 CVE-2016-5018 CVE-2016-0762 Reference: ESB-2017.0536 ESB-2017.0515 ESB-2017.0514 ESB-2016.1992 ESB-2016.1765 ESB-2016.1764 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21999671 http://www.ibm.com/support/docview.wss?uid=swg21993718 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM Cognos Business Intelligence Server 2017Q1 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. Document information More support for: Cognos Business Intelligence Security Software version: 10.1.1, 10.2, 10.2.1, 10.2.1.1, 10.2.2 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS Reference #: 1999671 Modified date: 03 March 2017 Security Bulletin Summary This bulletin addresses several security vulnerabilities. IBM Cognos Business Intelligence has addressed a vulnerability where sensitive information can be revealed in its logs files. There is a vulnerabilitiy in IBM WebSphere Application Server Liberty. Liberty is used by IBM Cognos Business Intelligence version 10.2.2. This issue was disclosed as part of the IBM WebSphere Application Server Liberty updates. IBM Cognos Business Intelligence has addressed several Apache Tomcat vulnerabilities. Vulnerability Details CVEID: CVE-2016-9985 DESCRIPTION: IBM Cognos Server stores highly sensitive information in log files that could be read by a local user. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120391 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2016-5983 DESCRIPTION: IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116468 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2016-0762 DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to process the user supplied password if the specified user name does not exist by the Realm implementation. An attacker could exploit this vulnerability to conduct a timing attack and determine valid usernames on the system. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118407 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2016-5018 DESCRIPTION: Apache Tomcat could allow a local attacker to bypass security restrictions. An attacker could exploit this vulnerability using a Tomcat utility method to bypass a configured SecurityManager. CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118406 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2016-6794 DESCRIPTION: Apache Tomcat could allow a local attacker to obtain sensitive information, caused by an error in the system property replacement feature. An attacker could exploit this vulnerability to bypass the SecurityManager and read system properties. CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118405 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2016-6796 DESCRIPTION: Apache Tomcat could allow a local attacker to bypass security restrictions. By modifying configuration parameters for the JSP Servlet, an attacker could exploit this vulnerability to bypass a configured SecurityManager. CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118404 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2016-6797 DESCRIPTION: Apache Tomcat could allow a local attacker to gain unauthorized access to the system, caused by an error in the ResourceLinkFactory. An attacker could exploit this vulnerability to gain access to arbitrary global JNDI resources. CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118403 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2016-6816 DESCRIPTION: Apache Tomcat is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119158 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2016-8735 DESCRIPTION: Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by an error in the JmxRemoteLifecycleListener. By sending specially crafted data to a JMX port, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119157 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-5388 DESCRIPTION: Apache Tomcat could allow a remote attacker to redirect HTTP traffic of CGI application, caused by the failure to protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable. By using a specially-crafted Proxy header in a HTTP request, an attacker could exploit this vulnerability to redirect outbound HTTP traffic to arbitrary proxy server. This is also known as the "HTTPOXY" vulnerability. CVSS Base Score: 8.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115091 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions IBM Cognos Business Intelligence Server 10.2.2 IBM Cognos Business Intelligence Server 10.2.1.1 IBM Cognos Business Intelligence Server 10.2.1 IBM Cognos Business Intelligence Server 10.2 IBM Cognos Business Intelligence Server 10.1.1 Remediation/Fixes The recommended solution is to apply the fix for versions listed as soon as practical. 10.1.1: http://www.ibm.com/support/docview.wss?uid=swg24043287 10.2.0: http://www.ibm.com/support/docview.wss?uid=swg24043288 10.2.1: http://www.ibm.com/support/docview.wss?uid=swg24043288 10.2.1.1: http://www.ibm.com/support/docview.wss?uid=swg24043288 10.2.2: http://www.ibm.com/support/docview.wss?uid=swg24043288 Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 3 March 2017: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: Privilege Escalation vulnerability affects Cognos Business Intelligence (CVE-2016-8960) Document information More support for: Cognos Business Intelligence Security Software version: 10.2, 10.2.1, 10.2.1.1, 10.2.2 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS Software edition: All Editions Reference #: 1993718 Modified date: 03 March 2017 Security Bulletin Summary Cognos Business Intelligence is vulnerable to a privilege escalation attack that could grant a user the Capabilities of another. Vulnerability Details CVEID: CVE-2016-8960 DESCRIPTION: IBM Cognos Business Intelligence could allow a user with lower privilege Capabilities to adopt the Capabilities of a higher-privilege user by intercepting the higher-privilege user's cookie value from its HTTP request and then reusing it in subsequent requests. CVSS Base Score: 6.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118849 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) Remediation/Fixes The recommended solution is to apply the fix for versions listed as soon as practical. 10.2.0: http://www.ibm.com/support/docview.wss?uid=swg24043288 10.2.1: http://www.ibm.com/support/docview.wss?uid=swg24043288 10.2.1.1: http://www.ibm.com/support/docview.wss?uid=swg24043288 10.2.2: http://www.ibm.com/support/docview.wss?uid=swg24043288 Workarounds and Mitigations Configure the BI Server as follows to avoid the privilege escalation issue: 1. Launch IBM Cognos Configuration 2. Select Local Configuration 3. Select Advanced Properties 4. Add a property with Name="EnableSecureUserCapabilitiesCache" and Value=true 5. Save the configuration 6. Restart the Cognos BI Server This action should be applied for all BI Server installations that could be affected. Any variation of the Cognos BI Server (Gateway, Content Manager, Application Tier) should apply the setting. In a distributed installation all BI Server instances should apply the setting. The setting is available in all versions of 10.2.2, 10.2.1, 10.2.1.1, and 10.2.0. It is not available in 10..1.1. In a distributed installation if any instance is running 10.1.1 or lower, these instances would need to be upgraded to 10.2.0 or higher before the setting can be applied on any of the installations. A side effect of enabling this setting is that the user may experience the error DPR-ERR-2107 The User Capabilities Cache cookie cannot be decoded if her browser session with Cognos remains idle for longer than the Inactivity Timeout, which is one hour by default . It may also be seen the first time the setting is enabled after restarting in any Cognos browser sessions that remained open since the restart. The DPR-ERR-2017 error can be resolved by clearing the browser's cookies. The Inactivity Timeout is found in the Configuration tool under Security / Authentication. Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement Vulnerability reported to IBM by Mayank Somani. Change History 6 November 2016: Original Version Published 21 November 2016: Added Acknowledgement 21 December 2016: Document updated to meet Security Bulletin guidelines 5 January 2017: Document updated to add Change Log 3 March 2017: Permanent fix available; link provided. Correct platforms and versions for fix. *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWLy3/Ix+lLeg9Ub1AQj5bQ//TtTVYl3NCTsMQl9vvJ0aMS/pxnKcck9n fEi6zlg9Th4Cgc0lyTkqrWrdnYhIru+AG2aCUTmu9HNmXqS4ZqcnqQmpHRZjvg/A 5jXMKrxPeIfN16tBHOe1VdoM0esOu8OWD+zpvcKz/nsh2W1XW9BM+qD58wA0GD1J iK5758YufcDVr5H4f5+LRcNn6le54GqCEBXT7LfVStozy/gXQfqNt7oJaJ5ozawK Le9pVBkSUzu4pjLgLzNLI84lZdiNUjT7G3gjvQPy5DJRPAS9Ls76hmz4T75S+rmc ZMqfU2L2FnORIVkggEnU4tCswXhAKgMOK4te0rQRKqBnPCtAl/qXo+9Colk3yAtd r/kv1GjYUUYDN/HuziimAUHKRuVGbiSCQf18wJn/z7VvRCWLEQ1inSCpFJT0JL9w VerkkC2lH/jDcjbrhfBef0H+tp+cFD7vgOj87dp602MV0SqAPT69iZwNHAbwl2MT dzDMZHw7wtsc161LsFU7ywVks2xdXk0+ANyZsXMNLgoKLPW88NruCmlGeEn6EDSJ jGVVTeBFHTq2wE68xJ5BkJrST6R/0GtbnNhQ3SarLehmJ0w/vFWvVzzTWkokFsFk w/EV1Ob5ADAtP0FJAkinyjueJs1tI5tejJUl5dnUgfxcUbzvvm7adveviLn5MqcX 6A6ysuze+2Q= =Vx+w -----END PGP SIGNATURE-----