Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1890 A security vulnerability has been addressed in IBM Cognos Analytics (CVE-2019-4139) 27 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cognos Analytics Publisher: IBM Operating System: Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-4139 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10883872 - --------------------------BEGIN INCLUDED TEXT-------------------- A security vulnerability has been addressed in IBM Cognos Analytics (CVE-2019-4139) Product: Cognos Analytics Component: Not Applicable Software version: 11.0, 11.1.0, 11.1.1 Operating system(s): Platform Independent Reference #: 0883872 Security Bulletin Summary This bulletin addresses a security vulnerability that has been fixed in IBM Cognos Analytics 11.1.2 and IBM Cognos Analytics 11.0.13 FP1. A Cross Site Scripting (XSS) vulnerability could allow attackers to inject code into a GET statement when importing visualizations. This has been addressed in the latest available updates. Vulnerability Details CVEID: CVE-2019-4139 DESCRIPTION: IBM Cognos Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158335 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions IBM Cognos Analytics 11.1.1 IBM Cognos Analytics 11.1.0 IBM Cognos Analytics 11.0 Remediation/Fixes The recommended solution is to apply the appropriate fix IBM Cognos Analytics as soon as practical. IBM Cognos Analytics 11.1.2 IBM Cognos Analytics 11.0.13 FP1 Workarounds and Mitigations None Change History 23 May 2019: Original Version Published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXOthzGaOgq3Tt24GAQin7A/+PWREe3AIFcc0fG+LyB5GuUGormU1ddsa PCuJl7SEaVuOA9hCMzozAQDADMij0NLrUFnFuhoUeOVMHKV8zENps0iP+Vf9ioKb VDT1vDTFRF+FBjQWi9Bit/lWIBM7pCO7HcF0JargWJePSO8MvlmA6zbsaqn/wPMA QV6GxszXhidputzOgoAm2mKAk6XRR0oRx5jVOfr5XT6w/hZ9GmHdUhMO43H2afFZ pmTcSFMhhv3WasbuCxvy+T0VjIYqmBKMemGn04f28UvUiNQ5CSWoavtmw3tIjz3N w7gxo2DmuDVdbmDzMVnpYuKkFIzf0tFCWA94j3hoaVkDoTzUtVQv20ORZB05BAH6 cnE8dgv5k3c1lZ2alMVSZt/RVo5gv84gmkdpMFNnlW8Bud4JbO+bXc2ya8mVtDUo H3Wr8BGg4S2QcDVHswh7X4qD1hyMERQTXNvDj9kYw0Cz6BGzx4s92Ze54zrOTbH6 FpMv6RNMFkTQEqUZHq+DQTBgZzihVF9KGoHmGzEaPUTtNMFAXDvT2ZiQZfXvo+aj 9qXfZiLJBcmuxQru6gPJewIiq8dIXF/fOf4pSEhCT0RPAJ8jdRUQjbBn/jDzNni5 JysiMaTdtOLWnLxQl2vRg2bNL+GUmuZZESR2YxFH0DGkofrbAI5i1j9OcL36OZze RLXEF90b+bo= =FGOy -----END PGP SIGNATURE-----