Operating System:

[WIN][LINUX][AIX]

Published:

20 March 2020

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2020.1008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1008
 Security Bulletin: Information Disclosure in Cognos Business Intelligence
             (Cognos BI) shipped with Tivoli Common Reporting
               (CVE-2019-1547, CVE-2019-1549, CVE-2019-1563)
                               20 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Tivoli Common Reporting
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Windows
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1563 CVE-2019-1549 CVE-2019-1547

Reference:         ESB-2019.4749

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6091228

- --------------------------BEGIN INCLUDED TEXT--------------------

Information Disclosure in Cognos Business Intelligence (Cognos BI) shipped with
Tivoli Common Reporting (CVE-2019-1547, CVE-2019-1549, CVE-2019-1563)

Security Bulletin

Summary

IBM Tivoli Common Reporting (TCR) interim fixes address Security
Vulnerabilities CVE-2019-1547, CVE-2019-1549, CVE-2019-1563

Vulnerability Details

CVEID: CVE-2019-1547
DESCRIPTION: OpenSSL could allow a local authenticated attacker to obtain
sensitive information, caused by the ability to construct an EC group missing
the cofactor using explicit parameters instead of using a named curve. An
attacker could exploit this vulnerability to obtain full key recovery during an
ECDSA signature operation.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167020 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2019-1549
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by the failure to include protection in the event of a fork
() system call to ensure that the parent and child processes do not share the
same RNG state. An attacker could exploit this vulnerability to obtain
sensitive information.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167021 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-1563
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by a padding oracle attack in PKCS7_dataDecode and
CMS_decrypt_set1_pkey. By sending an overly large number of messages to be
decrypted, an attacker could exploit this vulnerability to obtain sensitive
information.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167022 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

+---------------------------+----------+
|Affected Product(s)        |Version(s)|
+---------------------------+----------+
|IBM Tivoli Common Reporting|3.1.3     |
+---------------------------+----------+

Remediation/Fixes

+--------------------------------------+--------------------------------------+
|Tivoli Common reporting release       |Remediation                           |
+--------------------------------------+--------------------------------------+
|3.1.3                                 |Download Cognos BI 10.2.2 Interim Fix |
|                                      |22 (10.2.2 IF22)                      |
|                                      |Install 10.2.2-BA-CBI-64-IF0022       |
+--------------------------------------+--------------------------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXnQ8pmaOgq3Tt24GAQhXHBAAnZ5+YcLvhQvdcAgcGmM2hHLxp9l82hZ8
M3AvKU7jzEPSEDAWGPw5BTReDPjIlOOqIVfXokhnhimSVgQQgHWbKy9fnOQDMQ7v
G4KGfwyxXASQboRsiEdOVoTLdFP3yL0UjMRrIuKtVga+mcpm6xPTpn6ialW3bNwF
Nhe6MIlq/ZOfMqFYOSHdTTwaj6K3z3GCoykr5myB9DK22/NT1i1XFMtfx88C50Up
JBxLaZZeFYX2meVT4+Vk9vDfG3p2e0BC3dO+xVIg/DNwJqLOkjHob/2EEdjfnWEo
X7orxCqqPul9nJf2ejkllaPDGfDwHsCrW3Ph3yvFpzxEOsA6ANGUMm7lrgZSUNrT
QQdwAACnNHIaf02QJnUeqXBeHaeNmimbIUPlZ7325ZoWAyx9+fG2e+eQMgzRh0pM
1PbKu6gHdYrtCakU2cpNywHP97BCrAdXcsNdwsJbQQB+q2i1JmzFYp1xCJI7X7ux
CkgA/2YR/Ad/bUCdFA7XYdgRvo6LoHI+QDmfUPsSWL9j9i60529+rQykJOApdVxh
lwBiG0bMZyXPyOH+uIdOUYk+DZARnM3zLtMZmzaqSdgNeXbZS7L0RcSGKrapgifx
3F01zOeK0fiX/gboec32ww8vKunKg9iYXGbI1XQmXmSjRaG6O2EeZRhu1tFCf5hG
MuK+DUnMrEI=
=CgHI
-----END PGP SIGNATURE-----