Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0491 Security Bulletin: IBM Cognos Controller 2020Q1 Security Updater: Multiple Security Vulnerabilities have been identified in IBM Cognos Controller 12 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cognos Controller Publisher: IBM Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-4046 CVE-2019-2816 CVE-2019-2769 CVE-2019-2766 CVE-2019-2602 CVE-2019-2426 CVE-2018-12547 CVE-2018-11784 CVE-2018-8039 CVE-2018-3180 CVE-2018-3139 CVE-2018-1902 CVE-2018-1305 CVE-2018-1304 CVE-2018-0734 Reference: ESB-2019.4753 ESB-2019.4748 Original Bulletin: https://www.ibm.com/support/pages/node/1284802 - --------------------------BEGIN INCLUDED TEXT-------------------- Summary This bulletin addresses several security vulnerabilities that are fixed in IBM Cognos Controller 10.4.1 IF4, 10.4.0 IF7, 10.3.1 IF13 and 10.3.0 FP1 IF14. There are multiple vulnerabilities in IBM(R) Runtime Environment Java(TM) Technology Edition, Version 7 and the IBM(R) Runtime Environment Java(TM) Technology Edition, Version 8 that are used by IBM Cognos Controller 10.3.0, 10.3.1 and 10.4.0 and 10.4.1. These issues were disclosed as part of the IBM Java SDK updates in October 2018, January 2019, April 2019 and July 2019. Vulnerabilities have been addressed in the following 3rd party software components that are consumed by IBM Cognos Controller: IBM Websphere Liberty, OpenSSL (applicable to IBM Cognos Controller 10.3.0 only) and Apache HTTP Server (applicable to IBM Controller 10.3.0 only). Vulnerability Details CVEID: CVE-2019-2426 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155744 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-12547 DESCRIPTION: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by improper bounds checking by the jio_snprintf() and jio_vsnprintf() functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157512 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2018-11784 DESCRIPTION: When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. CVSS Base score: 7.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 150860 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) CVEID: CVE-2018-1902 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to spoof connection information which could be used to launch further attacks against the system. IBM X-Force ID: 152531. CVSS Base score: 3.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152531 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2018-3180 DESCRIPTION: An unspecified vulnerability related to the Java SE JSSE component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. CVSS Base score: 5.6 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151497 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2018-3139 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 151455 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) CVEID: CVE-2019-2602 DESCRIPTION: An unspecified vulnerability related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 159698 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-8039 DESCRIPTION: It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty ("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 145516 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVEID: CVE-2019-4046 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request headers. A remote attacker could exploit this vulnerability to cause the consumption of Memory. IBM X-Force ID: 156242. CVSS Base score: 5.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 156242 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-1305 DESCRIPTION: Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 139475 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVEID: CVE-2018-1304 DESCRIPTION: The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 139476 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVEID: CVE-2018-0734 DESCRIPTION: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152085 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2019-2766 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 163829 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) CVEID: CVE-2019-2769 DESCRIPTION: An unspecified vulnerability related to the Java SE Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 163832 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2019-2816 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 4.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 163878 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) Affected Products and Versions IBM Cognos Controller 10.4.1 IBM Cognos Controller 10.4.0 IBM Cognos Controller 10.3.1 IBM Cognos Controller 10.3.0 Remediation/Fixes The recommended solution is to apply the applicable IBM Cognos Controller Interim Fix as soon as practical. Cognos Controller 10.3.0 IF14, 10.3.1 IF13, 10.4.0 IF7, 10.4.1 IF4 Workarounds and Mitigations None - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXkOT3GaOgq3Tt24GAQiScQ//Ug75Y1GNUlZ/QYLouRnRySA4r42j7H2E V3KO+H6vKRGrlwBCKSw4eHGprffrfhghChaKQYgN2TXJBL5as+kdbNs0X+STTTni unnUUYVM34KlKqLEkmRg0xKcTjV7fjHcqfI7ktCvs1ESRXVb1BTBnGw0uarmABil Ts3Sn3/5OwdmoNa1M9aldwBvH8+f8yc6dr/uvtGw2H0n4RIqd4Syr5RIcdHj6Qpi QAiN0v2EKehb5PdjuxuNZHfhpb9tHML61Z5wXW01kFyWDC5O3DRinNTjGvwaIhwT qtyGs3Pka1ux3XjACB16dHkm0J2Dw6zKguwwjNXuhUe1vEwPqHkxuKN78UghVlFz pJKem6jCB52+q+FKBrfAgoSirWvpJo56cjz9Zne6H8tplnyEc6ZabsNl+q42+Evy +hHHrOE4pDeTEhG3/dorCk4V0yIF5D1yWVeI7pkh5NRafqA8yFswrjjZcX0ztlFp +psEPPp0Vf0sQRO+W1uGDpnX91dcFPH+PgOkPDXJRaUJ4tJNimfNStOumy8OVEqt DOpRgbwHqbzVjipg/WBB54O03dCnm44vyQWYHg4UWDw/PiGowHOepfHzFRqHrf0A aw2VVhxyBMa9K5sH3b26ZqxsCTwn62dVvEj5UNiYEU0dhzd9Jn1IX8kSNGGIjF7u HhGHV9VJkRc= =y/BR -----END PGP SIGNATURE-----