Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0491
Security Bulletin: IBM Cognos Controller 2020Q1 Security Updater: Multiple
Security Vulnerabilities have been identified in IBM Cognos Controller
12 February 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cognos Controller
Publisher: IBM
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-4046 CVE-2019-2816 CVE-2019-2769
CVE-2019-2766 CVE-2019-2602 CVE-2019-2426
CVE-2018-12547 CVE-2018-11784 CVE-2018-8039
CVE-2018-3180 CVE-2018-3139 CVE-2018-1902
CVE-2018-1305 CVE-2018-1304 CVE-2018-0734
Reference: ESB-2019.4753
ESB-2019.4748
Original Bulletin:
https://www.ibm.com/support/pages/node/1284802
- --------------------------BEGIN INCLUDED TEXT--------------------
Summary
This bulletin addresses several security vulnerabilities that are fixed in IBM
Cognos Controller 10.4.1 IF4, 10.4.0 IF7, 10.3.1 IF13 and 10.3.0 FP1 IF14.
There are multiple vulnerabilities in IBM(R) Runtime Environment Java(TM) Technology
Edition, Version 7 and the IBM(R) Runtime Environment Java(TM) Technology Edition,
Version 8 that are used by IBM Cognos Controller 10.3.0, 10.3.1 and 10.4.0 and
10.4.1. These issues were disclosed as part of the IBM Java SDK updates in
October 2018, January 2019, April 2019 and July 2019. Vulnerabilities have been
addressed in the following 3rd party software components that are consumed by
IBM Cognos Controller: IBM Websphere Liberty, OpenSSL (applicable to IBM Cognos
Controller 10.3.0 only) and Apache HTTP Server (applicable to IBM Controller
10.3.0 only).
Vulnerability Details
CVEID: CVE-2019-2426
DESCRIPTION: An unspecified vulnerability related to the Java SE Networking
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155744 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-12547
DESCRIPTION: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by
improper bounds checking by the jio_snprintf() and jio_vsnprintf() functions.
By sending an overly long argument, a remote attacker could overflow a buffer
and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
157512 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-11784
DESCRIPTION: When the default servlet in Apache Tomcat versions 9.0.0.M1 to
9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory
(e.g. redirecting to '/foo/' when the user requested '/foo') a specially
crafted URL could be used to cause the redirect to be generated to any URI of
the attackers choice.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
150860 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
CVEID: CVE-2018-1902
DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could
allow a remote attacker to spoof connection information which could be used to
launch further attacks against the system. IBM X-Force ID: 152531.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
152531 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2018-3180
DESCRIPTION: An unspecified vulnerability related to the Java SE JSSE
component could allow an unauthenticated attacker to cause low confidentiality
impact, low integrity impact, and low availability impact.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
151497 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2018-3139
DESCRIPTION: An unspecified vulnerability related to the Java SE Networking
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
151455 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-2602
DESCRIPTION: An unspecified vulnerability related to the Java SE Libraries
component could allow an unauthenticated attacker to cause a denial of service
resulting in a high availability impact using unknown attack vectors.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
159698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-8039
DESCRIPTION: It is possible to configure Apache CXF to use the
com.sun.net.ssl implementation via 'System.setProperty
("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'.
When this system property is set, CXF uses some reflection to try to make the
HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface.
However, the default HostnameVerifier implementation in CXF does not implement
the method in this interface, and an exception is thrown. However, in Apache
CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code
and not properly propagated. What this means is that if you are using the
com.sun.net.ssl stack with CXF, an error with TLS hostname verification will
not be thrown, leaving a CXF client subject to man-in-the-middle attacks.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
145516 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2019-4046
DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is
vulnerable to a denial of service, caused by improper handling of request
headers. A remote attacker could exploit this vulnerability to cause the
consumption of Memory. IBM X-Force ID: 156242.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
156242 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-1305
DESCRIPTION: Security constraints defined by annotations of Servlets in
Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0
to 7.0.84 were only applied once a Servlet had been loaded. Because security
constraints defined in this way apply to the URL pattern and any URLs below
that point, it was possible - depending on the order Servlets were loaded - for
some security constraints not to be applied. This could have exposed resources
to users who were not authorised to access them.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
139475 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2018-1304
DESCRIPTION: The URL pattern of "" (the empty string) which exactly maps to
the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4,
8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a
security constraint definition. This caused the constraint to be ignored. It
was, therefore, possible for unauthorised users to gain access to web
application resources that should have been protected. Only security
constraints with a URL pattern of the empty string were affected.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
139476 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2018-0734
DESCRIPTION: The OpenSSL DSA signature algorithm has been shown to be
vulnerable to a timing side channel attack. An attacker could use variations in
the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a
(Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in
OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
152085 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-2766
DESCRIPTION: An unspecified vulnerability related to the Java SE Networking
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
163829 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-2769
DESCRIPTION: An unspecified vulnerability related to the Java SE Utilities
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
163832 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2816
DESCRIPTION: An unspecified vulnerability related to the Java SE Networking
component could allow an unauthenticated attacker to cause low confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
163878 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Products and Versions
IBM Cognos Controller 10.4.1
IBM Cognos Controller 10.4.0
IBM Cognos Controller 10.3.1
IBM Cognos Controller 10.3.0
Remediation/Fixes
The recommended solution is to apply the applicable IBM Cognos Controller
Interim Fix as soon as practical.
Cognos Controller 10.3.0 IF14, 10.3.1 IF13, 10.4.0 IF7, 10.4.1 IF4
Workarounds and Mitigations
None
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXkOT3GaOgq3Tt24GAQiScQ//Ug75Y1GNUlZ/QYLouRnRySA4r42j7H2E
V3KO+H6vKRGrlwBCKSw4eHGprffrfhghChaKQYgN2TXJBL5as+kdbNs0X+STTTni
unnUUYVM34KlKqLEkmRg0xKcTjV7fjHcqfI7ktCvs1ESRXVb1BTBnGw0uarmABil
Ts3Sn3/5OwdmoNa1M9aldwBvH8+f8yc6dr/uvtGw2H0n4RIqd4Syr5RIcdHj6Qpi
QAiN0v2EKehb5PdjuxuNZHfhpb9tHML61Z5wXW01kFyWDC5O3DRinNTjGvwaIhwT
qtyGs3Pka1ux3XjACB16dHkm0J2Dw6zKguwwjNXuhUe1vEwPqHkxuKN78UghVlFz
pJKem6jCB52+q+FKBrfAgoSirWvpJo56cjz9Zne6H8tplnyEc6ZabsNl+q42+Evy
+hHHrOE4pDeTEhG3/dorCk4V0yIF5D1yWVeI7pkh5NRafqA8yFswrjjZcX0ztlFp
+psEPPp0Vf0sQRO+W1uGDpnX91dcFPH+PgOkPDXJRaUJ4tJNimfNStOumy8OVEqt
DOpRgbwHqbzVjipg/WBB54O03dCnm44vyQWYHg4UWDw/PiGowHOepfHzFRqHrf0A
aw2VVhxyBMa9K5sH3b26ZqxsCTwn62dVvEj5UNiYEU0dhzd9Jn1IX8kSNGGIjF7u
HhGHV9VJkRc=
=y/BR
-----END PGP SIGNATURE-----