Security Bulletin: Privilege Escalation vulnerability affects Cognos Business Intelligence (CVE-2016-8960)

Summary

Cognos Business Intelligence is vulnerable to a privilege escalation attack that could grant a user the Capabilities of another.

Vulnerability Details

CVEID: CVE-2016-8960**
DESCRIPTION:** IBM Cognos Business Intelligence could allow a user with lower privilege Capabilities to adopt the Capabilities of a higher-privilege user by intercepting the higher-privilege user’s cookie value from its HTTP request and then reusing it in subsequent requests.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118849 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM Cognos Business Intelligence Server 10.2.2
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2

Remediation/Fixes

The recommended solution is to apply the fix for versions listed as soon as practical.

10.2.0: http://www.ibm.com/support/docview.wss?uid=swg24043288
10.2.1: http://www.ibm.com/support/docview.wss?uid=swg24043288
10.2.1.1: http://www.ibm.com/support/docview.wss?uid=swg24043288
10.2.2: http://www.ibm.com/support/docview.wss?uid=swg24043288

Workarounds and Mitigations

Configure the BI Server as follows to avoid the privilege escalation issue:
1. Launch IBM Cognos Configuration
2. Select Local Configuration
3. Select Advanced Properties
4. Add a property with Name=“EnableSecureUserCapabilitiesCache” and Value=”true”
5. Save the configuration
6. Restart the Cognos BI Server

This action should be applied for all BI Server installations that could be affected. Any variation of the Cognos BI Server (Gateway, Content Manager, Application Tier) should apply the setting.

In a distributed installation all BI Server instances should apply the setting.

The setting is available in all versions of 10.2.2, 10.2.1, 10.2.1.1, and 10.2.0. It is not available in 10…1.1.

In a distributed installation if any instance is running 10.1.1 or lower, these instances would need to be upgraded to 10.2.0 or higher before the setting can be applied on any of the installations.

A side effect of enabling this setting is that the user may experience the error DPR-ERR-2107 “The User Capabilities Cache cookie cannot be decoded” if her browser session with Cognos remains idle for longer than the Inactivity Timeout, which is one hour by default . It may also be seen the first time the setting is enabled after restarting in any Cognos browser sessions that remained open since the restart.

The DPR-ERR-2017 error can be resolved by clearing the browser’s cookies.

The Inactivity Timeout is found in the Configuration tool under Security / Authentication.