Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1008 Security Bulletin: Information Disclosure in Cognos Business Intelligence (Cognos BI) shipped with Tivoli Common Reporting (CVE-2019-1547, CVE-2019-1549, CVE-2019-1563) 20 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Tivoli Common Reporting Publisher: IBM Operating System: AIX Linux variants Windows Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-1563 CVE-2019-1549 CVE-2019-1547 Reference: ESB-2019.4749 Original Bulletin: https://www.ibm.com/support/pages/node/6091228 - --------------------------BEGIN INCLUDED TEXT-------------------- Information Disclosure in Cognos Business Intelligence (Cognos BI) shipped with Tivoli Common Reporting (CVE-2019-1547, CVE-2019-1549, CVE-2019-1563) Security Bulletin Summary IBM Tivoli Common Reporting (TCR) interim fixes address Security Vulnerabilities CVE-2019-1547, CVE-2019-1549, CVE-2019-1563 Vulnerability Details CVEID: CVE-2019-1547 DESCRIPTION: OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the cofactor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation. CVSS Base score: 5.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167020 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2019-1549 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork () system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167021 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2019-1563 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167022 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +---------------------------+----------+ |Affected Product(s) |Version(s)| +---------------------------+----------+ |IBM Tivoli Common Reporting|3.1.3 | +---------------------------+----------+ Remediation/Fixes +--------------------------------------+--------------------------------------+ |Tivoli Common reporting release |Remediation | +--------------------------------------+--------------------------------------+ |3.1.3 |Download Cognos BI 10.2.2 Interim Fix | | |22 (10.2.2 IF22) | | |Install 10.2.2-BA-CBI-64-IF0022 | +--------------------------------------+--------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXnQ8pmaOgq3Tt24GAQhXHBAAnZ5+YcLvhQvdcAgcGmM2hHLxp9l82hZ8 M3AvKU7jzEPSEDAWGPw5BTReDPjIlOOqIVfXokhnhimSVgQQgHWbKy9fnOQDMQ7v G4KGfwyxXASQboRsiEdOVoTLdFP3yL0UjMRrIuKtVga+mcpm6xPTpn6ialW3bNwF Nhe6MIlq/ZOfMqFYOSHdTTwaj6K3z3GCoykr5myB9DK22/NT1i1XFMtfx88C50Up JBxLaZZeFYX2meVT4+Vk9vDfG3p2e0BC3dO+xVIg/DNwJqLOkjHob/2EEdjfnWEo X7orxCqqPul9nJf2ejkllaPDGfDwHsCrW3Ph3yvFpzxEOsA6ANGUMm7lrgZSUNrT QQdwAACnNHIaf02QJnUeqXBeHaeNmimbIUPlZ7325ZoWAyx9+fG2e+eQMgzRh0pM 1PbKu6gHdYrtCakU2cpNywHP97BCrAdXcsNdwsJbQQB+q2i1JmzFYp1xCJI7X7ux CkgA/2YR/Ad/bUCdFA7XYdgRvo6LoHI+QDmfUPsSWL9j9i60529+rQykJOApdVxh lwBiG0bMZyXPyOH+uIdOUYk+DZARnM3zLtMZmzaqSdgNeXbZS7L0RcSGKrapgifx 3F01zOeK0fiX/gboec32ww8vKunKg9iYXGbI1XQmXmSjRaG6O2EeZRhu1tFCf5hG MuK+DUnMrEI= =CgHI -----END PGP SIGNATURE-----