Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM0DDFB99CB8C38EE3AD681E1DDB584ED5008E60962834E9D1EA19DCDBB6940E62
HistoryJun 15, 2018 - 11:47 p.m.

Security Bulletin: IBM Cognos Business Intelligence Server 2017Q4 Security Updater: IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities.

2018-06-1523:47:49
www.ibm.com
2

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

Summary

IBM Cognos Business Intelligence uses Libxml2. Multiple vulnerabilites in Libxml2 have been addressed.

Vulnerability Details

CVEID: CVE-2016-4658**
DESCRIPTION:** The libxml2 library, as used in multiple products, could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption error. An attacker could exploit this vulnerability using a specially crafted XML document to execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117175 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-9050**
DESCRIPTION:** libxml2 is vulnerable to a heap-based buffer overflow, caused by a buffer over-read flaw in the xmlDictAddString function in dict.c. By sending a specially-crafted request, a local attacker could overflow a buffer and cause the application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126277 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-9049**
DESCRIPTION:** libxml2 is vulnerable to a heap-based buffer overflow, caused by a buffer over-read flaw in the xmlDictComputeFastKey function in dict.c. By sending a specially-crafted request, a local attacker could overflow a buffer and cause the application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126276 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-9048**
DESCRIPTION:** libxml2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking of the strlen(buf) size in the xmlSnprintfElementContent function in valid.c. By sending a specially-crafted request, a local attacker could overflow a buffer and cause the application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126275 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-9047**
DESCRIPTION:** libxml2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the xmlSnprintfElementContent function in valid.c. By sending a specially-crafted request, a local attacker could overflow a buffer and cause application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126274 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-8872**
DESCRIPTION:** libxml2 is vulnerable to a buffer overflow, caused by a a buffer-over-read flaw in the htmlParseTryOrFinish function in HTMLparser.c. By sending a specially-crafted request, a local attacker could overflow a buffer and cause a denial of service condition or obtain sensitive information on the system.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125890 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-7375**
DESCRIPTION:** libxml2 could allow a remote attacker to obtain sensitive information, caused by missing validation for external entities in xmlParsePEReference. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128275 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L)

CVEID: CVE-2017-5969**
DESCRIPTION:** libxml2 is vulnerable to a denial of service, caused by a NULL pointer dereference in the xmlSaveDoc functionality when used in recover mode. By persuading a victim to open a specially crafted XML document, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128274 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-16932**
DESCRIPTION:** Xmlsoft libxml2 is vulnerable to a denial of service, caused by an infinite recursion issue in parameter entities. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to exhaust available memory on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/135489 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-16931**
DESCRIPTION:** Xmlsoft libxml2 is vulnerable to a buffer overflow, caused by improper handling of parameter-entity references in xmlParserHandlePEReference function. By using a percent character in a DTD name, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/135488 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM Cognos Business Intelligence Server 10.2.2
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2.0

Remediation/Fixes

The recommended solution is to apply the fix for versions listed as soon as practical.

IBM Cognos Business Intelligence Server 10.2.2
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2.0

Workarounds and Mitigations

None

Related

ibm 31
nessus 52
openvas 21
osv 6
debian 5
freebsd 1
fedora 2
gentoo 1
ubuntu 4
cloudfoundry 2
rubygems 1
mageia 1
altlinux 2
veracode 12
amazon 1
ubuntucve 10
photon 1
redhatcve 8
cve 9
prion 9
debiancve 9
alpinelinux 3
github 2
cloudlinux 1
oraclelinux 1
f5 1
centos 1
redhat 1
hackerone 1
ibm
ibm
Security Bulletin: Multiple Vulnerabilities in libxml2 affects IBM Cognos Analytics
2018-06-15 23:51:36
Security Bulletin: Multiple vulnerabilities in Libxml2 affect IBM Cognos Metrics Manager.
2018-06-15 23:49:47
Security Bulletin: Vulnerabilities in libxml2 affect Intel® Manycore Platform Software Stack (Intel® MPSS) for Linux and Windows
2019-01-31 02:40:01
nessus
nessus
Debian DLA-1008-1 : libxml2 security update
2017-07-03 00:00:00
SUSE SLES12 Security Update : libxml2 (SUSE-SU-2017:1587-1)
2017-06-19 00:00:00
Photon OS 1.0: Libxml2 PHSA-2017-0024
2019-02-07 00:00:00
openvas
openvas
Debian LTS: Security Advisory for libxml2 (DLA-1008-1)
2018-01-29 00:00:00
Fedora Update for libxml2 FEDORA-2018-a6b59d8f78
2018-02-15 00:00:00
Fedora Update for libxml2 FEDORA-2018-db610fff5b
2018-01-31 00:00:00
osv
osv
libxml2 - security update
2017-06-30 00:00:00
libxml2 - security update
2017-08-23 00:00:00
libxml2 - security update
2017-11-30 00:00:00
debian
debian
[SECURITY] [DLA 1008-1] libxml2 security update
2017-06-30 20:47:21
[SECURITY] [DSA 3952-1] libxml2 security update
2017-08-23 04:54:22
[SECURITY] [DSA 3952-1] libxml2 security update
2017-08-23 04:54:22
freebsd
freebsd
libxml2 -- Multiple Issues
2017-05-10 00:00:00
fedora
fedora
[SECURITY] Fedora 27 Update: libxml2-2.9.7-1.fc27
2018-01-30 18:12:24
[SECURITY] Fedora 26 Update: libxml2-2.9.7-1.fc26
2018-02-14 17:11:02
gentoo
gentoo
libxml2: Multiple vulnerabilities
2017-11-10 00:00:00
ubuntu
ubuntu
libxml2 vulnerabilities
2017-09-19 00:00:00
libxml2 vulnerabilities
2017-10-10 00:00:00
libxml2 vulnerability
2017-12-05 00:00:00
cloudfoundry
cloudfoundry
USN-3424-1: libxml2 vulnerabilities | Cloud Foundry
2017-11-01 00:00:00
USN-3504-1: libxml2 vulnerability | Cloud Foundry
2017-12-14 00:00:00
rubygems
rubygems
Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
2017-09-18 21:00:00
mageia
mageia
Updated libxml2 & perl-XML-LibXML packages fix security vulnerabilities
2018-01-03 18:50:51
altlinux
altlinux
Security fix for the ALT Linux 9 package libxml2 version 1:2.9.9.0.52.f824-alt1
2019-05-22 00:00:00
Security fix for the ALT Linux 10 package libxml2 version 1:2.9.9.0.52.f824-alt1
2019-05-22 00:00:00
veracode
veracode
Copy-paste Vulnerability Through LibXML2
2017-11-23 23:43:55
Vulnerability Through C Libraries
2017-11-01 05:30:33
Multiple Stack Overflows Through Embedded C Dependency
2017-05-17 06:00:22
amazon
amazon
Medium: libxml2
2019-09-30 22:47:00
ubuntucve
ubuntucve
CVE-2017-9049
2017-05-18 00:00:00
CVE-2017-9050
2017-05-18 00:00:00
CVE-2017-7375
2017-06-21 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2017-0024
2017-07-13 00:00:00
redhatcve
redhatcve
CVE-2017-16931
2017-11-24 15:49:50
CVE-2017-9047
2017-05-19 08:26:19
CVE-2017-9049
2017-05-19 08:26:04
cve
cve
CVE-2017-16931
2017-11-23 21:29:00
CVE-2017-7375
2018-02-19 19:29:00
CVE-2017-9048
2017-05-18 06:29:00
prion
prion
Code injection
2017-11-23 21:29:00
Stack overflow
2017-05-18 06:29:00
Buffer overflow
2017-05-18 06:29:00
debiancve
debiancve
CVE-2017-7375
2018-02-19 19:29:00
CVE-2017-16932
2017-11-23 21:29:00
CVE-2017-9047
2017-05-18 06:29:00
alpinelinux
alpinelinux
CVE-2017-16932
2017-11-23 21:29:00
CVE-2017-16931
2017-11-23 21:29:00
CVE-2017-5969
2017-04-11 16:59:00
github
github
Nokogiri gem, via libxml, is affected by DoS vulnerabilities
2022-05-13 01:02:39
Nokogiri does not forbid namespace nodes in XPointer ranges
2018-08-21 19:03:26
cloudlinux
cloudlinux
libxml2: Fix of CVE-2016-4658
2023-11-07 18:21:51
oraclelinux
oraclelinux
libxml2 security update
2021-10-13 00:00:00
f5
f5
K49419538 : libxml2 vulnerability CVE 2016-4658
2022-04-05 00:00:00
centos
centos
libxml2 security update
2021-11-17 14:46:50
redhat
redhat
(RHSA-2021:3810) Moderate: libxml2 security update
2021-10-12 13:23:35
hackerone
hackerone
Internet Bug Bounty: CVE-2017-5969: libxml2 when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference)
2017-08-23 18:59:34

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON
Related for 0DDFB99CB8C38EE3AD681E1DDB584ED5008E60962834E9D1EA19DCDBB6940E62
ibm31nessus52openvas21osv6debian5freebsd1fedora2gentoo1ubuntu4cloudfoundry2rubygems1mageia1altlinux2veracode12amazon1ubuntucve10photon1redhatcve8cve9prion9debiancve9alpinelinux3github2cloudlinux1oraclelinux1f51centos1redhat1hackerone1