Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM92E24CC8E9D28E3D3D657708EBF6EFC86784D3C85F2197F14638191C6FCFAB42
HistoryApr 16, 2024 - 7:21 p.m.

Security Bulletin: IBM Cognos Command Center has addressed vulnerabilities IBM® Semeru Java™ Version 11 and Apache Commons

2024-04-1619:21:10
www.ibm.com
8
ibm cognos command center
ibm semeru java version 11
apache commons
vulnerability
upgrading
non-vulnerable versions
cve-2024-20932
cve-2024-20952
cve-2024-20918
cve-2024-20921
cve-2024-20926
cve-2024-20945
cve-2024-22361

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

8.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.3%

JSON

Summary

There are vulnerabilities in IBM® Semeru Java™ Version 11, Apache Commons Compress and Apache Commons Configuration used by IBM Cognos Command Center. IBM Cognos Command Center 10.2.5 IF2 has addressed the applicable CVEs by upgrading to non-vulnerable versions of these libraries. Please refer to the table in the Related Information section for vulnerability impact.

Vulnerability Details

CVEID:CVE-2024-20932
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high integrity impact.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279715 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2024-20952
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279685 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-20918
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279718 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-20921
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279734 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-20926
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279716 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-20945
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker to cause high confidentiality impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279775 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-22361
**DESCRIPTION:**IBM Semeru Runtime 8.0.302.0 through 8.0.392.0, 11.0.12.0 through 11.0.21.0, 17.0.1.0 - 17.0.9.0, and 21.0.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 281222.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281222 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-25710
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283472 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-26308
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafted Pack200 file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283469 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-29131
**DESCRIPTION:**Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286004 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2024-29133
**DESCRIPTION:**Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286005 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cognos Command Center 10.2.5
IBM Cognos Command Center 10.2.4.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

Affected Product(s) Version Fix
IBM Cognos Command Center 10.2.5 IBM® Cognos® Command Center® 10.2.5 IF2 available for download
IBM Cognos Command Center 10.2.4.1 IBM® Cognos® Command Center® 10.2.5 IF2 available for download

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmcognos_command_centerMatch10.2.5
OR
ibmcognos_command_centerMatch10.2.4.1

Related

ibm 50
nessus 61
openvas 24
osv 12
debian 3
ubuntu 4
redhat 26
aix 1
centos 2
oraclelinux 7
almalinux 5
amazon 1
mageia 1
f5 1
fedora 1
ibm
ibm
Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to multiple issues due to IBM Semeru Runtime
2024-03-12 09:26:18
Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to various attacks due to IBM Runtime Environment Java Technology Edition Version 17
2024-04-08 17:29:53
Security Bulletin: There are multiple vulnerabilities in IBM Semeru Runtime that is shipped with IBM App Connect Enterprise
2024-03-25 15:56:34
nessus
nessus
Debian dsa-5613 : openjdk-17-dbg - security update
2024-02-02 00:00:00
OpenJDK 8 <= 8u392 / 11.0.0 <= 11.0.21 / 17.0.0 <= 17.0.9 / 21.0.0 <= 21.0.1 Multiple Vulnerabilities (2024-01-16
2024-01-23 00:00:00
Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.7.1.7)
2024-04-08 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-5613-1)
2024-02-02 00:00:00
openSUSE: Security Advisory for java (SUSE-SU-2024:0325-1)
2024-03-04 00:00:00
Ubuntu: Security Advisory (USN-6696-1)
2024-03-18 00:00:00
osv
osv
openjdk-17 - security update
2024-02-01 00:00:00
Important: java-11-openjdk security update
2024-01-18 00:00:00
openjdk-17 vulnerabilities
2024-02-27 02:04:18
debian
debian
[SECURITY] [DSA 5613-1] openjdk-17 security update
2024-02-01 22:40:03
[SECURITY] [DLA 3728-1] openjdk-11 security update
2024-01-31 15:32:31
[SECURITY] [DSA 5604-1] openjdk-11 security update
2024-01-23 21:54:17
ubuntu
ubuntu
OpenJDK 8 vulnerabilities
2024-03-18 00:00:00
OpenJDK 17 vulnerabilities
2024-02-27 00:00:00
OpenJDK 11 vulnerabilities
2024-02-27 00:00:00
redhat
redhat
(RHSA-2024:0222) Important: OpenJDK 8u402 security update
2024-01-17 13:52:34
(RHSA-2024:0224) Important: java-1.8.0-openjdk security and bug fix update
2024-01-17 15:22:22
(RHSA-2024:0226) Important: java-1.8.0-openjdk security and bug fix update
2024-01-17 15:24:39
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2024-03-07 15:16:48
centos
centos
java security update
2024-01-26 18:12:38
java security update
2024-01-26 18:11:41
oraclelinux
oraclelinux
java-17-openjdk security and bug fix update
2024-01-22 00:00:00
java-11-openjdk security update
2024-01-17 00:00:00
java-11-openjdk security update
2024-01-23 00:00:00
almalinux
almalinux
Important: java-17-openjdk security and bug fix update
2024-01-17 00:00:00
Important: java-11-openjdk security update
2024-01-18 00:00:00
Important: java-1.8.0-openjdk security and bug fix update
2024-01-17 00:00:00
amazon
amazon
Important: java-1.8.0-openjdk
2024-02-01 19:57:00
mageia
mageia
Updated java 1.8.0, 11 & latest packages fix security vulnerabilities
2024-03-15 05:49:05
f5
f5
K000138851 : OpenJDK vulnerabilities CVE-2024-20921, CVE-2024-20926, and CVE-2024-20932
2024-03-07 00:00:00
fedora
fedora
[SECURITY] Fedora 39 Update: apache-commons-configuration-2.10.1-1.fc39
2024-03-30 01:10:55

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

8.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.3%

JSON
Related for 92E24CC8E9D28E3D3D657708EBF6EFC86784D3C85F2197F14638191C6FCFAB42
ibm50nessus61openvas24osv12debian3ubuntu4redhat26aix1centos2oraclelinux7almalinux5amazon1mageia1f51fedora1