8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
Cognos Business Intelligence is vulnerable to a privilege escalation attack that could grant a user the Capabilities of another.
CVEID: CVE-2016-8960**
DESCRIPTION:** IBM Cognos Business Intelligence could allow a user with lower privilege Capabilities to adopt the Capabilities of a higher-privilege user by intercepting the higher-privilege userβs cookie value from its HTTP request and then reusing it in subsequent requests.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118849 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
IBM Cognos Business Intelligence Server 10.2.2
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
The recommended solution is to apply the fix for versions listed as soon as practical.
10.2.0: http://www.ibm.com/support/docview.wss?uid=swg24043288
10.2.1: http://www.ibm.com/support/docview.wss?uid=swg24043288
10.2.1.1: http://www.ibm.com/support/docview.wss?uid=swg24043288
10.2.2: http://www.ibm.com/support/docview.wss?uid=swg24043288
Configure the BI Server as follows to avoid the privilege escalation issue:
1. Launch IBM Cognos Configuration
2. Select Local Configuration
3. Select Advanced Properties
4. Add a property with Name=βEnableSecureUserCapabilitiesCacheβ and Value=βtrueβ
5. Save the configuration
6. Restart the Cognos BI Server
This action should be applied for all BI Server installations that could be affected. Any variation of the Cognos BI Server (Gateway, Content Manager, Application Tier) should apply the setting.
In a distributed installation all BI Server instances should apply the setting.
The setting is available in all versions of 10.2.2, 10.2.1, 10.2.1.1, and 10.2.0. It is not available in 10β¦1.1.
In a distributed installation if any instance is running 10.1.1 or lower, these instances would need to be upgraded to 10.2.0 or higher before the setting can be applied on any of the installations.
A side effect of enabling this setting is that the user may experience the error DPR-ERR-2107 βThe User Capabilities Cache cookie cannot be decodedβ if her browser session with Cognos remains idle for longer than the Inactivity Timeout, which is one hour by default . It may also be seen the first time the setting is enabled after restarting in any Cognos browser sessions that remained open since the restart.
The DPR-ERR-2017 error can be resolved by clearing the browserβs cookies.
The Inactivity Timeout is found in the Configuration tool under Security / Authentication.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P