IBM89826858CF10F9B56C50470B3C39DB96D911844221CFE9ED3E49161D3BCF5F04Security Bulletin: Multiple vulnerabilities in IBM Cognos Express (CVE-2013-5443, CVE-2013-5445, CVE-2013-5444, CVE-2013-2407, CVE-2013-2450, CVE-2013-0169, CVE-2013-1478, CVE-2013-1480)
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.093 Low
EPSS
Percentile
94.6%
Summary
A number of security vulnerabilities in IBM Cognos Express have been identified and addressed in a software update.
Vulnerability Details
CVE ID: CVE-2013-5443
DESCRIPTION:
A Cross Site Request Forgery (CSRF) vulnerability in IBM Cognos Express allows an attacker that is able to trick an authenticated user into clicking or following a malicious link to perform actions they did not intend to.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87819> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PLATFORMS:
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.
- Cognos Express 10.2.1 FP1
- Cognos Express 10.1 Interim Fix 2 (IFIX 2)
- Cognos Express 9.5 Interim Fix 2 (IFIX 2)
- Cognos Express 9.0 Interim Fix 2 (IFIX 2)
CVE ID: CVE-2013-5445
DESCRIPTION:
Encrypted credentials can be remotely retrieved from the IBM Cognos Express server.
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87821> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
AFFECTED PLATFORMS:
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.
- Cognos Express 10.2.1 FP1
- Cognos Express 10.1 Interim Fix 2 (IFIX 2)
- Cognos Express 9.5 Interim Fix 2 (IFIX 2)
- Cognos Express 9.0 Interim Fix 2 (IFIX 2)
CVE ID: CVE-2013-5444
DESCRIPTION:
Encryption is unnecessarily weakened due to use of a static key which could assist an attacker with decrypting information they should not have access to.
CVSS:
CVSS Base Score: 1.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87820> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:N/A:N)
AFFECTED PLATFORMS:
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.
- Cognos Express 10.2.1 FP1
- Cognos Express 10.1 Interim Fix 2 (IFIX 2)
- Cognos Express 9.5 Interim Fix 2 (IFIX 2)
- Cognos Express 9.0 Interim Fix 2 (IFIX 2)
CVE ID: CVE-2013-2407
DESCRIPTION:
The IBM Java JRE used in IBM Cognos Express could allow an attacker that is able to send a specially crafted XML data to server to cause a denial of service.
CVSS:
CVSS Base Score: 6.4
CVSS Temporal Score: See CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/85044> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)
AFFECTED PLATFORMS:
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the versions listed.
- Cognos Express 10.1 Interim Fix 2 (IFIX 2)
- Cognos Express 9.5 Interim Fix 2 (IFIX 2)
- Cognos Express 9.0 Interim Fix 2 (IFIX 2)
CVE ID: CVE-2013-2450
**DESCRIPTION: **The IBM Java JRE used in IBM Cognos Express could allow an attacker that is able to send a specially crafted data to server to cause a denial of service.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/85057> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED PLATFORMS:
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the versions listed.
- Cognos Express 10.1 Interim Fix 2 (IFIX 2)
- Cognos Express 9.5 Interim Fix 2 (IFIX 2)
- Cognos Express 9.0 Interim Fix 2 (IFIX 2)
CVE ID: CVE-2013-0169
DESCRIPTION:
The IBM Java JRE used in IBM Cognos Express is susceptible to a Transport Layer Security protocol (used in HTTPS) vulnerability known as “Lucky Thirteen.” The vulnerability could allow remote attackers to conduct distinguishing and plain-text recovery attacks by statistically analyzing timing data for crafted packets.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81902 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
AFFECTED PLATFORMS:
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the versions listed.
- Cognos Express 10.1 Interim Fix 2 (IFIX 2)
- Cognos Express 9.5 Interim Fix 2 (IFIX 2)
- Cognos Express 9.0 Interim Fix 2 (IFIX 2)
CVE ID: CVE-2013-1478** **
DESCRIPTION:
The IBM Java JRE used in IBM Cognos Express is susceptible to a unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability, related to 2D.
CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81754>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED PLATFORMS:
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the versions listed.
- Cognos Express 10.1 Interim Fix 2 (IFIX 2)
- Cognos Express 9.5 Interim Fix 2 (IFIX 2)
- Cognos Express 9.0 Interim Fix 2 (IFIX 2)
CVE ID: CVE-2013-1480
**DESCRIPTION: **The IBM Java JRE used in IBM Cognos Express is susceptible to a unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability, related to AWT.
CVSS:
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81757>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED PLATFORMS:
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
REMEDIATION:
The recommended solution is to apply the fix in one of the versions listed.
- Cognos Express 10.1 Interim Fix 2 (IFIX 2)
- Cognos Express 9.5 Interim Fix 2 (IFIX 2)
- Cognos Express 9.0 Interim Fix 2 (IFIX 2)
Workarounds and Mitigations
None. Install the fixes as listed above.
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.093 Low
EPSS
Percentile
94.6%