Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0322 Security Bulletin: Multiple vulnerabilities in IBM Cognos BI 8.4.1,10.1, 10.1.1 and 10.2 (CVE-2011-3026, CVE-2011-4858, CVE-2012-0498, CVE-2012-2177, CVE-2012-2193, CVE-2012-4835, CVE-2012-4836, CVE-2012-4837, CVE-2012-4840, CVE-2012-4858, CVE-2012-5081) 5 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Cognos Business Intelligence Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Access Privileged Data -- Existing Account Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-5081 CVE-2012-4858 CVE-2012-4840 CVE-2012-4837 CVE-2012-4836 CVE-2012-4835 CVE-2012-2193 CVE-2012-2177 CVE-2012-0498 CVE-2011-4858 CVE-2011-3026 Reference: ASB-2012.0144 ASB-2012.0143 ASB-2012.0060 ASB-2012.0027 ASB-2012.0025 ESB-2012.0190 ESB-2012.0132 ESB-2012.0116 ASB-2012.0024.2 ESB-2012.0143.2 Original Bulletin: https://www-304.ibm.com/support/docview.wss?uid=swg21626697 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple vulnerabilities in IBM Cognos BI 8.4.1,10.1, 10.1.1 and 10.2 (CVE-2011-3026, CVE-2011-4858, CVE-2012-0498, CVE-2012-2177, CVE-2012-2193, CVE-2012-4835, CVE-2012-4836, CVE-2012-4837, CVE-2012-4840, CVE-2012-4858, CVE-2012-5081) Document information Cognos Business Intelligence Security Software version: 8.4.1, 10.1, 10.1.1, 10.2 Operating system(s): AIX, HP Itanium, HP-UX, Linux, Solaris, Windows Reference #: 1626697 Modified date: 2013-02-27 Abstract Several security vulnerabilities have been identified in IBM Cognos BI which may allowing remote attackers to: - - Cause a denial of service condition via excessive CPU consumption, - - Inject arbitrary JavaScript code into the victim's web browser, - - Download arbitrary XML files from the server, - - Call any registered XPath extension functions, - - Execute arbitrary code via buffer overflow. Content VULNERABILITY DETAILS: CVE ID: CVE-2011-3026 DESCRIPTION: The libpng graphic library is bundled with IBM Cognos BI. This vulnerability allows malicious users to overflow a buffer and execute arbitrary code on the server or cause the server to crash by requesting IBM Cognos BI to render a specifically crafted PNG image. CVSS: CVSS Base Score: 6.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/73240 for the current score CVSS Environmental Score*: Undefined CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:P) AFFECTED PLATFORMS: All supported platforms. REMEDIATION: Apply Cognos Business Intelligence Interim Fixes for Security Exposure Workaround(s): None known, apply fixes Mitigation(s): None known CVE ID: CVE-2011-4858 DESCRIPTION: Apache Tomcat is bundled with IBM Cognos BI. This Tomcat vulnerability allows remote attackers to cause a denial of service (CPU consumption) by sending a maliciously crafted HTTP request to the Cognos gateway. CVSS: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72016 for the current score CVSS Environmental Score*: Undefined CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P) AFFECTED PLATFORMS: All supported platforms. REMEDIATION: Apply Cognos Business Intelligence Interim Fixes for Security Exposure Workaround(s): None known, apply fixes Mitigation(s): None known CVE ID: CVE-2012-0498 DESCRIPTION: The Java Runtime Environment is bundled with IBM Cognos BI. This vulnerability allows malicious users to affect confidentiality, integrity, and availability by requesting IBM Cognos BI to render a specifically crafted image. CVSS: CVSS Base Score: 10 The CVSS base score represents the maximum CVSS base score assigned by X-Force for the vulnerabilities identified in this advisory. AFFECTED PLATFORMS: All supported Windows platforms for IBM Cognos BI. REMEDIATION: Apply Cognos Business Intelligence Interim Fixes for Security Exposure Workaround(s) : None known, apply fixes Mitigation(s): A patched version of the Java Runtime Environment (JRE) can be installed independently, and IBM Cognos BI can be configured to be run with the patched version of the JRE. CVE ID: CVE-2012-2177 DESCRIPTION: IBM Cognos BI has a reflected cross-site scripting vulnerability requiring additional user interaction. The victim has to click a malicious link and then click an additional link on the rendered Web page. The attacker's JavaScript code is executed in the context of the victim's web browser. CVSS: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75400 for the current score CVSS Environmental Score*: Undefined AFFECTED PLATFORMS: All supported platforms. REMEDIATION: Apply Cognos Business Intelligence Interim Fixes for Security Exposure Workaround(s): None known, apply fixes Mitigation(s): You can configure IBM Cognos BI 10.1 and above to use the httpOnly attribute for the session cookie. That would prevent the attacker from stealing the session id. CVE ID: CVE-2012-2193 DESCRIPTION: IBM Cognos BI has a reflected cross-site scripting vulnerability requiring additional user interaction. The victim has to click a malicious link and then click an additional link on the rendered Web page. The attacker's JavaScript code is executed in the context of the victim's web browser. CVSS: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/76098 for the current score CVSS Environmental Score*: Undefined AFFECTED PLATFORMS: All supported platforms. REMEDIATION: Apply Cognos Business Intelligence Interim Fixes for Security Exposure Workaround(s): None known, apply fixes Mitigation(s): You can configure IBM Cognos BI to use the httpOnly attribute for the session cookie. That would prevent the attacker from stealing the session id. CVE ID: CVE-2012-4835 DESCRIPTION: IBM Cognos BI has a reflected cross-site scripting vulnerability. The victim has to click a malicious link. The attacker's JavaScript code is executed in the context of the victim's web browser. CVSS: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78917 for the current score CVSS Environmental Score*: Undefined AFFECTED PLATFORMS: All supported platforms. REMEDIATION: Apply Cognos Business Intelligence Interim Fixes for Security Exposure Workaround(s): None known, apply fixes Mitigation(s): Configuring IBM Cognos BI 10.1 and above to use the httpOnly attribute for the session cookie helps prevent the attacker from stealing a users session id. CVE ID: CVE-2012-4836 DESCRIPTION: IBM Cognos BI is vulnerable to stored cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. CVSS: CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78918 for the current score CVSS Environmental Score*: Undefined AFFECTED PLATFORMS: All supported platforms. REMEDIATION: Apply Cognos Business Intelligence Interim Fixes for Security Exposure Workaround(s): None known, apply fixes Mitigation(s): You can configure IBM Cognos BI 10.1 and above to use the httpOnly attribute for the session cookie. That would prevent the attacker from stealing the session id. CVE ID: CVE-2012-4837 DESCRIPTION: IBM Cognos BI is vulnerable to XPath injection, caused by the improper validation of input prior to using it in a XPath (XML Path Language) query. By injecting arbitrary XPath code, a malicious user could exploit this vulnerability to read arbitrary XML files. CVSS: CVSS Base Score: 4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78919 for the current score CVSS Environmental Score*: Undefined AFFECTED PLATFORMS: All supported platforms. REMEDIATION: Apply Cognos Business Intelligence Interim Fixes for Security Exposure Workaround(s): None known, apply fixes Mitigation(s): None known CVE ID: CVE-2012-4840 DESCRIPTION: IBM Cognos BI is vulnerable to XPath injection, caused by the improper validation of input prior to using it in a XPath (XML Path Language) query. By injecting arbitrary XPath code, a remote unauthenticated attacker could call any registered XPath extension function. CVSS: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79116 for the current score CVSS Environmental Score*: Undefined AFFECTED PLATFORMS: All supported platforms. REMEDIATION: Apply Cognos Business Intelligence Interim Fixes for Security Exposure Workaround(s): None known, apply fixes Mitigation(s): None known CVE ID: CVE-2012-4858 DESCRIPTION: IBM Cognos BI is vulnerable to a remote OS command injection due to missing validation of untrusted Java serialized input. CVSS: CVSS Base Score: 9.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79801 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) AFFECTED PLATFORMS: All supported platforms. REMEDIATION: Apply Cognos Business Intelligence Interim Fixes for Security Exposure Workaround(s): None known, apply fixes Mitigation(s): None known CVE ID: CVE-2012-5081 DESCRIPTION: The Java Runtime Environment is bundled with IBM Cognos BI. This vulnerability allows malicious users to affect availability. CVSS: CVSS Base Score: 5 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) AFFECTED PLATFORMS: All supported Windows platforms for IBM Cognos BI. REMEDIATION: Apply Cognos Business Intelligence Interim Fixes for Security Exposure Workaround(s): None known, apply fixes Mitigation(s): A patched version of the Java Runtime Environment (JRE) can be installed independently, and IBM Cognos BI can be configured to be run with the patched version of the JRE. REFERENCES: Complete CVSS Guide On-line Calculator V2 CVE-2011-4858 CVE-2012-0498 CVE-2012-2177 CVE-2012-2193 CVE-2012-4835 CVE-2012-4836 CVE-2012-4837 CVE-2012-4840 CVE-2012-4858 CVE-2012-5081 Enabling the HTTPOnly parameter RELATED INFORMATION: IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog CHANGE HISTORY: *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUTWYde4yVqjM2NGpAQL0Cg//Wa3v+0k9m9IcbnpYUZzm3DwG3wm36ITA G6HIFNNrrJxSbbIONSANLLP1+Geb/8WBA/uc8nrV1RcoNdalSvqaS4gfwpgz+Ah9 /Nw05PUv7AB6tGRP/4KTJpCmhXxNrSWiN9Ko2qKdvYKJycKwN+S+Y+Zr176IfP/g ufsRqtxkP4KZ+Xo6sUTfsAHrUUrZyKksFITO5+Jv88z16oG2xjU4uXg1RdW1uZA8 VCRQpPlRBAvQvBFvhEhkJL/uSNNv0PhZhRQL9zgSSP67htG8pRwiuhzptCFIDmvk G3gVl/ogwIO/gy89wkguVSchxGSxj4CMvfxEQCR7KVw5Dfsu7NTmOaF6cq5MsuYN kB/ZgYYoYUJSzA9TxC4f/8O6U/db8wQxAZZg4b5hTfwOpueoJV5PJqTcIydNFpIu vm0tubjcrUnu57xRPcbUzrarMgh1JWCxA2jaAIQJTqJygjbTIN42ZlvjaCtzXYkE bHXwHTJXkdGg9LKsyO8S+lhpfrIBBPIrvUnxY3yM2W5lqA1zP32ogx6w6wQq0NgV qduSGMDOsogBu77yRSDJhbUS8T+qN+Hi1PUOQrgWlpnjprdSx0N8soBNYoFQ952L QLu727CceRUhMDocm6aEpl4wcbZFOBWkGMZE/w+tG8a49xwz4XoDNrByVSL/RrpK 033KU6Gwuqg= =t+4d -----END PGP SIGNATURE-----