IBM59318B0CF4C1FAE586869CBD784AA3B2D670508ECC73EDF830A5E166B55DCF65Security Bulletin: Security exposure in IBM Cognos Incentive Compensation Management (CVE-2014-0107)
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Summary
There is a security vulnerability whereby a remote attacker could bypass security restrictions in Apache Xalan-Java within IBM Cognos Incentive Compensation Management 8.x and 7.x.
Vulnerability Details
CVE IDs: CVE-2014-0107
**DESCRIPTION:**Apache Xalan-Java could allow a remote attacker to bypass security restrictions, caused by the improper handling of output properties. An attacker could exploit this vulnerability to bypass the secure processing feature to load arbitrary restricted classes.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92023> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Affected Products and Versions
IBM Cognos Incentive Compensation Management 8.x and 7.x
Remediation/Fixes
The recommended solution is to download and install the following applicable fix packs available via fix central.
- 7.2.1.82225
- 7.3.0.82226
- 8.0.0.82227
- 8.0.1.82249
- 8.0.2.82251
- 8.0.3.82254
- 8.0.4.82256
These fix packs are available via Fix Central.
Workarounds and Mitigations
None known. Apply fix pack.
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P