Operating System:

[WIN]

Published:

11 November 2019

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2019.4237 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4237
Security Bulletin: IBM Cognos Controller 2019Q4 Security Updater: Multiple
   Security Vulnerabilties have been identified in IBM Cognos Controller
                             11 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cognos Controller
Publisher:         IBM
Operating System:  Windows
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-12814 CVE-2019-4412 CVE-2019-4411

Reference:         ESB-2019.4053
                   ESB-2019.3978.2
                   ESB-2019.3672

Original Bulletin: 
   https://www.ibm.com/support/pages/node/1086123

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM Cognos Controller 2019Q4 Security Updater: Multiple
Security Vulnerabilties have been identified in IBM Cognos Controller

Document Information

Product            : Cognos Controller
Software version   : 10.4.1, 10.4.0, 10.3.1, 10.3.0
Operating system(s): Windows

Summary

This bulletin addresses several security vulnerabilities that are fixed in IBM
Cognos Controller 10.4.1 IF2, 10.4.0 IF5, 10.3.1 IF12 and 10.3.0 FP1 IF13.

A vulnerability exists in IBM Cognos Controller that could allow an
authenticated user to obtain sensitive information due to easy to guess
session identifier names.

IBM Cognos Controller stores sensitive information in URL parameters. This may
lead to information disclosure if unauthorized parties have access to the URLs
via server logs, referrer header or browser history.

IBM Cognos Controller consumes Faster XML Jackson. A vulnerability exists in
Faster XML Jackson-Databind that could be exploitable by an attacker.

Vulnerability Details

CVEID: CVE-2019-4411
DESCRIPTION: IBM Cognos Controller could allow an authenticated user to obtain
sensitive information due to easy to guess session identifier names.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
162658 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-4412
DESCRIPTION: IBM Cognos Controller stores sensitive information in URL
parameters. This may lead to information disclosure if unauthorized parties
have access to the URLs via server logs, referrer header or browser history.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
162659 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-12814
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
obtain sensitive information, caused by a polymorphic typing issue. By sending
a specially-crafted JSON message, an attacker could exploit this vulnerability
to read arbitrary local files on the server.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
162875 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Cognos Controller 10.4.1
IBM Cognos Controller 10.4.0
IBM Cognos Controller 10.3.1
IBM Cognos Controller 10.3.0

Remediation/Fixes

The recommended solution is to apply the applicable IBM Cognos Controller
Interim Fix as soon as practical.
Cognos Controller 10.4.0 IF5 and 10.4.1 IF2
Cognos Controller 10.3.0 FP1 IF13 and 10.3.1 IF12
Please be advised , if you are a Cognos Controller 10.4.0 or 10.4.1 customer ,
the fixes for CVE-2019-4411 and CVE-2019-4412 are only available in 10.4.0 IF5
and 10.4.1 IF2 . If you are a Cognos Controller 10.3.0 or 10.3.1 customer, all
CVEs have been addressed in 10.3.0 FP1 IF13 and 10.3.1 IF12.
Cognos Controller Versions where each CVE has been addressed:

CVE               10.3.0 FP1 IF13  10.3.1 IF12      10.4.0 FP1 IF4   10.4.0 FP1 IF5   10.4.1 IF1       10.4.1 IF2
CVE-2019-4411     Y                Y                N                Y                N                Y
CVE-2019-4412     Y                Y                N                Y                N                Y
CVE-2019-12814    Y                Y                Y                Y                Y                Y

Workarounds and Mitigations

None

Change History

Update Published: November 8, 2019 (Revised Interim Fixes for versions 10.4.0
and 10.4.1))
Update Published: November 4, 2019
Original Version Published: October 25, 2019

*The CVSS Environment Score is customer environment specific and willhttps://www.ibm.com/support/pages/node/1086123
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Internal Use Only

Advisory ID  Product
             Record ID
16460        137347
16466        137359
16923        139132

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXcjfo2aOgq3Tt24GAQgj6hAAxq/1n5pQFLCpcRaaPsF8PFvcrYM27U0Y
LvO8a/Ni4fRL2J7z87JIih1CVjX/ozhMns2V5gYw9hx+JB/HR7mnDGOYrz30Wf31
6ZdnwIGadE9D4FxAcnGYeilYOPnS5hYP1TXGOrQNTeaqYHMZ2Rz6bhf6p/QFLFtZ
ePk1zuVL4tflyrrP8lgs4klrVPa8x1d1tQ4AXXRYZLn6Ly0s2Tqmu71rUTgNVDfW
EPCR6hG9SdBqgCkLqNafjuVJF5MbZIkLiLidOEadkvq4+PkrQ/XaMKpOaM2GD21D
NoRxINTubxsN2UUOkiyDM6VDV4vQ8SpBki0wjdWrF0F2T03SJrWubzA64irDq9Eo
5GCfVn9uYgt0oQIr/OblgpyJIiyUIYCmDDWToXhLcJBUScCKESjoGf3oR5fTdHGb
io57KxtIFR6HiKv1zqq4CNZt8gLPRG/8mgRwLJNfcIroFjiGkwRriJ+tRLlSMGIx
MEOPpRLqq7gpFAv73Gsf/W/Wb37juCZpfmxQVgMkOgHHtg6381ppA1E1ANelips1
b0FloSHWpSbCXvuuWXcAHxaO17SQe2o4vte5u8aZLtHV6frmjHuucODU+kJpnV3v
/PO0aPlktRwLSV47e8xQTFOfVCm/4e4cs6gAR2ylH5ONkovu6crNUucfsN8Nbm6I
gADu5di0n04=
=Lqqn
-----END PGP SIGNATURE-----