Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4237 Security Bulletin: IBM Cognos Controller 2019Q4 Security Updater: Multiple Security Vulnerabilties have been identified in IBM Cognos Controller 11 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Cognos Controller Publisher: IBM Operating System: Windows Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-12814 CVE-2019-4412 CVE-2019-4411 Reference: ESB-2019.4053 ESB-2019.3978.2 ESB-2019.3672 Original Bulletin: https://www.ibm.com/support/pages/node/1086123 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM Cognos Controller 2019Q4 Security Updater: Multiple Security Vulnerabilties have been identified in IBM Cognos Controller Document Information Product : Cognos Controller Software version : 10.4.1, 10.4.0, 10.3.1, 10.3.0 Operating system(s): Windows Summary This bulletin addresses several security vulnerabilities that are fixed in IBM Cognos Controller 10.4.1 IF2, 10.4.0 IF5, 10.3.1 IF12 and 10.3.0 FP1 IF13. A vulnerability exists in IBM Cognos Controller that could allow an authenticated user to obtain sensitive information due to easy to guess session identifier names. IBM Cognos Controller stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM Cognos Controller consumes Faster XML Jackson. A vulnerability exists in Faster XML Jackson-Databind that could be exploitable by an attacker. Vulnerability Details CVEID: CVE-2019-4411 DESCRIPTION: IBM Cognos Controller could allow an authenticated user to obtain sensitive information due to easy to guess session identifier names. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162658 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2019-4412 DESCRIPTION: IBM Cognos Controller stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162659 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2019-12814 DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162875 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions IBM Cognos Controller 10.4.1 IBM Cognos Controller 10.4.0 IBM Cognos Controller 10.3.1 IBM Cognos Controller 10.3.0 Remediation/Fixes The recommended solution is to apply the applicable IBM Cognos Controller Interim Fix as soon as practical. Cognos Controller 10.4.0 IF5 and 10.4.1 IF2 Cognos Controller 10.3.0 FP1 IF13 and 10.3.1 IF12 Please be advised , if you are a Cognos Controller 10.4.0 or 10.4.1 customer , the fixes for CVE-2019-4411 and CVE-2019-4412 are only available in 10.4.0 IF5 and 10.4.1 IF2 . If you are a Cognos Controller 10.3.0 or 10.3.1 customer, all CVEs have been addressed in 10.3.0 FP1 IF13 and 10.3.1 IF12. Cognos Controller Versions where each CVE has been addressed: CVE 10.3.0 FP1 IF13 10.3.1 IF12 10.4.0 FP1 IF4 10.4.0 FP1 IF5 10.4.1 IF1 10.4.1 IF2 CVE-2019-4411 Y Y N Y N Y CVE-2019-4412 Y Y N Y N Y CVE-2019-12814 Y Y Y Y Y Y Workarounds and Mitigations None Change History Update Published: November 8, 2019 (Revised Interim Fixes for versions 10.4.0 and 10.4.1)) Update Published: November 4, 2019 Original Version Published: October 25, 2019 *The CVSS Environment Score is customer environment specific and willhttps://www.ibm.com/support/pages/node/1086123 ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Internal Use Only Advisory ID Product Record ID 16460 137347 16466 137359 16923 139132 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXcjfo2aOgq3Tt24GAQgj6hAAxq/1n5pQFLCpcRaaPsF8PFvcrYM27U0Y LvO8a/Ni4fRL2J7z87JIih1CVjX/ozhMns2V5gYw9hx+JB/HR7mnDGOYrz30Wf31 6ZdnwIGadE9D4FxAcnGYeilYOPnS5hYP1TXGOrQNTeaqYHMZ2Rz6bhf6p/QFLFtZ ePk1zuVL4tflyrrP8lgs4klrVPa8x1d1tQ4AXXRYZLn6Ly0s2Tqmu71rUTgNVDfW EPCR6hG9SdBqgCkLqNafjuVJF5MbZIkLiLidOEadkvq4+PkrQ/XaMKpOaM2GD21D NoRxINTubxsN2UUOkiyDM6VDV4vQ8SpBki0wjdWrF0F2T03SJrWubzA64irDq9Eo 5GCfVn9uYgt0oQIr/OblgpyJIiyUIYCmDDWToXhLcJBUScCKESjoGf3oR5fTdHGb io57KxtIFR6HiKv1zqq4CNZt8gLPRG/8mgRwLJNfcIroFjiGkwRriJ+tRLlSMGIx MEOPpRLqq7gpFAv73Gsf/W/Wb37juCZpfmxQVgMkOgHHtg6381ppA1E1ANelips1 b0FloSHWpSbCXvuuWXcAHxaO17SQe2o4vte5u8aZLtHV6frmjHuucODU+kJpnV3v /PO0aPlktRwLSV47e8xQTFOfVCm/4e4cs6gAR2ylH5ONkovu6crNUucfsN8Nbm6I gADu5di0n04= =Lqqn -----END PGP SIGNATURE-----