Security Bulletin: A vulnerability in Apache Axis affects IBM Cognos Metrics Manager (CVE-2012-5784)

Summary

An Apache Axis vulnerability was disclosed in Nov 2012. The Apache Axis library is included with IBM Cognos Metrics Manager. IBM Cognos Metrics Manager has addressed the vulnerability.

Vulnerability Details

CVEID: CVE-2012-5784**
DESCRIPTION:** Apache Axis 1.4, as used in multiple products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject’s Common Name (CN) field of the X.509 certificate. An attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server and launch further attacks against a vulnerable target.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/79829 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

• • IBM Cognos Metrics Manager 10.2.2
• IBM Cognos Metrics Manager 10.2.1
• IBM Cognos Metrics Manager 10.2
• IBM Cognos Metrics Manager 10.1.1
• IBM Cognos Metrics Manager 10.1

Remediation/Fixes

The recommended solution is to apply the fix in one of the IBM Cognos Business Intelligence 10.x interim fixes listed as soon as practical. Note that the prerequisites named in the links are also satisfied by an IBM Cognos Metrics Manager install of the same version.

IBM Cognos Business Intelligence 10.1.x Interim fixes
IBM Cognos Business Intelligence 10.2 and 10.2.1 Interim fixes
IBM Cognos Business Intelligence 10.2.2 Interim fix 1

Workarounds and Mitigations

None