Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0582
Multiple vulnerabilities have been identified in IBM Cognos
Business Intelligence
6 March 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Cognos Business Intelligence
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
z/OS
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-9985 CVE-2016-8960 CVE-2016-8735
CVE-2016-6816 CVE-2016-6797 CVE-2016-6796
CVE-2016-6794 CVE-2016-5983 CVE-2016-5388
CVE-2016-5018 CVE-2016-0762
Reference: ESB-2017.0536
ESB-2017.0515
ESB-2017.0514
ESB-2016.1992
ESB-2016.1765
ESB-2016.1764
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21999671
http://www.ibm.com/support/docview.wss?uid=swg21993718
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Cognos Business Intelligence Server 2017Q1 Security
Updater : IBM Cognos Business Intelligence Server is affected by multiple
vulnerabilities.
Document information
More support for: Cognos Business Intelligence
Security
Software version: 10.1.1, 10.2, 10.2.1, 10.2.1.1, 10.2.2
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS
Reference #: 1999671
Modified date: 03 March 2017
Security Bulletin
Summary
This bulletin addresses several security vulnerabilities.
IBM Cognos Business Intelligence has addressed a vulnerability where
sensitive information can be revealed in its logs files.
There is a vulnerabilitiy in IBM WebSphere Application Server
Liberty. Liberty is used by IBM Cognos Business Intelligence version
10.2.2. This issue was disclosed as part of the IBM WebSphere Application
Server Liberty updates.
IBM Cognos Business Intelligence has addressed several Apache Tomcat
vulnerabilities.
Vulnerability Details
CVEID: CVE-2016-9985
DESCRIPTION: IBM Cognos Server stores highly sensitive information in log
files that could be read by a local user.
CVSS Base Score: 6.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120391 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2016-5983
DESCRIPTION: IBM WebSphere Application Server could allow remote attackers to
execute arbitrary Java code with a serialized object from untrusted sources.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/116468 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2016-0762
DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive
information, caused by the failure to process the user supplied password
if the specified user name does not exist by the Realm implementation. An
attacker could exploit this vulnerability to conduct a timing attack and
determine valid usernames on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/118407 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-5018
DESCRIPTION: Apache Tomcat could allow a local attacker to bypass security
restrictions. An attacker could exploit this vulnerability using a Tomcat
utility method to bypass a configured SecurityManager.
CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/118406 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2016-6794
DESCRIPTION: Apache Tomcat could allow a local attacker to obtain sensitive
information, caused by an error in the system property replacement
feature. An attacker could exploit this vulnerability to bypass the
SecurityManager and read system properties.
CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/118405 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-6796
DESCRIPTION: Apache Tomcat could allow a local attacker to bypass security
restrictions. By modifying configuration parameters for the JSP Servlet,
an attacker could exploit this vulnerability to bypass a configured
SecurityManager.
CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/118404 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2016-6797
DESCRIPTION: Apache Tomcat could allow a local attacker to gain unauthorized
access to the system, caused by an error in the ResourceLinkFactory. An
attacker could exploit this vulnerability to gain access to arbitrary
global JNDI resources.
CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/118403 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2016-6816
DESCRIPTION: Apache Tomcat is vulnerable to HTTP response splitting attacks,
caused by improper validation of user-supplied input. A remote attacker
could exploit this vulnerability to inject arbitrary HTTP headers and cause
the server to return a split response, once the URL is clicked. This would
allow the attacker to perform further attacks, such as Web cache poisoning
or cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 6.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/119158 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2016-8735
DESCRIPTION: Apache Tomcat could allow a remote attacker to execute arbitrary
code on the system, caused by an error in the JmxRemoteLifecycleListener. By
sending specially crafted data to a JMX port, an attacker could exploit
this vulnerability to execute arbitrary code on the system with elevated
privileges.
CVSS Base Score: 7.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/119157 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2016-5388
DESCRIPTION: Apache Tomcat could allow a remote attacker to redirect HTTP
traffic of CGI application, caused by the failure to protect applications
from the presence of untrusted client data in the HTTP_PROXY environment
variable. By using a specially-crafted Proxy header in a HTTP request, an
attacker could exploit this vulnerability to redirect outbound HTTP traffic
to arbitrary proxy server. This is also known as the "HTTPOXY" vulnerability.
CVSS Base Score: 8.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115091 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM Cognos Business Intelligence Server 10.2.2
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1.1
Remediation/Fixes
The recommended solution is to apply the fix for versions listed as soon
as practical.
10.1.1: http://www.ibm.com/support/docview.wss?uid=swg24043287
10.2.0: http://www.ibm.com/support/docview.wss?uid=swg24043288
10.2.1: http://www.ibm.com/support/docview.wss?uid=swg24043288
10.2.1.1: http://www.ibm.com/support/docview.wss?uid=swg24043288
10.2.2: http://www.ibm.com/support/docview.wss?uid=swg24043288
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
3 March 2017: Original Version Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------------
Security Bulletin: Privilege Escalation vulnerability affects Cognos
Business Intelligence (CVE-2016-8960)
Document information
More support for: Cognos Business Intelligence
Security
Software version: 10.2, 10.2.1, 10.2.1.1, 10.2.2
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS
Software edition: All Editions
Reference #: 1993718
Modified date: 03 March 2017
Security Bulletin
Summary
Cognos Business Intelligence is vulnerable to a privilege escalation attack
that could grant a user the Capabilities of another.
Vulnerability Details
CVEID: CVE-2016-8960
DESCRIPTION: IBM Cognos Business Intelligence could allow a user with lower
privilege Capabilities to adopt the Capabilities of a higher-privilege
user by intercepting the higher-privilege user's cookie value from its
HTTP request and then reusing it in subsequent requests.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/118849 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Remediation/Fixes
The recommended solution is to apply the fix for versions listed as soon
as practical.
10.2.0: http://www.ibm.com/support/docview.wss?uid=swg24043288
10.2.1: http://www.ibm.com/support/docview.wss?uid=swg24043288
10.2.1.1: http://www.ibm.com/support/docview.wss?uid=swg24043288
10.2.2: http://www.ibm.com/support/docview.wss?uid=swg24043288
Workarounds and Mitigations
Configure the BI Server as follows to avoid the privilege escalation issue:
1. Launch IBM Cognos Configuration
2. Select Local Configuration
3. Select Advanced Properties
4. Add a property with Name="EnableSecureUserCapabilitiesCache" and
Value=true
5. Save the configuration
6. Restart the Cognos BI Server
This action should be applied for all BI Server installations that could be
affected. Any variation of the Cognos BI Server (Gateway, Content Manager,
Application Tier) should apply the setting.
In a distributed installation all BI Server instances should apply the
setting.
The setting is available in all versions of 10.2.2, 10.2.1, 10.2.1.1,
and 10.2.0. It is not available in 10..1.1.
In a distributed installation if any instance is running 10.1.1 or lower,
these instances would need to be upgraded to 10.2.0 or higher before the
setting can be applied on any of the installations.
A side effect of enabling this setting is that the user may experience
the error DPR-ERR-2107 The User Capabilities Cache cookie cannot be
decoded if her browser session with Cognos remains idle for longer
than the Inactivity Timeout, which is one hour by default . It may also be
seen the first time the setting is enabled after restarting in any Cognos
browser sessions that remained open since the restart.
The DPR-ERR-2017 error can be resolved by clearing the browser's cookies.
The Inactivity Timeout is found in the Configuration tool under Security
/ Authentication.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
Vulnerability reported to IBM by Mayank Somani.
Change History
6 November 2016: Original Version Published
21 November 2016: Added Acknowledgement
21 December 2016: Document updated to meet Security Bulletin guidelines
5 January 2017: Document updated to add Change Log
3 March 2017: Permanent fix available; link provided. Correct platforms
and versions for fix.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWLy3/Ix+lLeg9Ub1AQj5bQ//TtTVYl3NCTsMQl9vvJ0aMS/pxnKcck9n
fEi6zlg9Th4Cgc0lyTkqrWrdnYhIru+AG2aCUTmu9HNmXqS4ZqcnqQmpHRZjvg/A
5jXMKrxPeIfN16tBHOe1VdoM0esOu8OWD+zpvcKz/nsh2W1XW9BM+qD58wA0GD1J
iK5758YufcDVr5H4f5+LRcNn6le54GqCEBXT7LfVStozy/gXQfqNt7oJaJ5ozawK
Le9pVBkSUzu4pjLgLzNLI84lZdiNUjT7G3gjvQPy5DJRPAS9Ls76hmz4T75S+rmc
ZMqfU2L2FnORIVkggEnU4tCswXhAKgMOK4te0rQRKqBnPCtAl/qXo+9Colk3yAtd
r/kv1GjYUUYDN/HuziimAUHKRuVGbiSCQf18wJn/z7VvRCWLEQ1inSCpFJT0JL9w
VerkkC2lH/jDcjbrhfBef0H+tp+cFD7vgOj87dp602MV0SqAPT69iZwNHAbwl2MT
dzDMZHw7wtsc161LsFU7ywVks2xdXk0+ANyZsXMNLgoKLPW88NruCmlGeEn6EDSJ
jGVVTeBFHTq2wE68xJ5BkJrST6R/0GtbnNhQ3SarLehmJ0w/vFWvVzzTWkokFsFk
w/EV1Ob5ADAtP0FJAkinyjueJs1tI5tejJUl5dnUgfxcUbzvvm7adveviLn5MqcX
6A6ysuze+2Q=
=Vx+w
-----END PGP SIGNATURE-----