IBM9A135CF5F1DD70B64FF2E55C6A7E52F7C3A64DEEFDD86F45910661C5A67617D8Security Bulletin: A vulnerability in IBM Java SDK affects Rational Reporting for Development Intelligence (CVE-2016-3427)
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Summary
There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 6 that is used by Rational Reporting for Development Intelligence (RRDI). The issue was disclosed as part of the IBM Java SDK updates in April 2016.
Vulnerability Details
CVEID: CVE-2016-3427** *DESCRIPTION: An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112459 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Affected Products and Versions
Principal Product and Version(s)
| Affected Supporting Product(s) and Version(s)
—|—
RRDI 2.0, 2.0.1, 2.0.3 and 2.0.4| Cognos BI 10.1.1
RRDI 2.0.5 and 2.0.6| Cognos BI 10.2.1
RRDI 5.0, 5.0.1 and 5.0.2| Cognos BI 10.2.1 Fix pack 2
Jazz Reporting Service 5.0, 5.0.1 and 5.0.2
Remediation/Fixes
Apply the recommended fixes to all affected versions of RRDI.
RRDI 2.0, 2.0.0.1, 2.0.1, 2.0.3 and 2.0.4
- Download the IBM Cognos Business Intelligence 10.1.1 Interim Fix 19 (Implemented by file 10.1.6306.509).
Review technote 1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x for the detailed instructions for patch application.
- Download the IBM Cognos Business Intelligence 10.2.1 Interim Fix 17 (Implemented by file 10.2.5000.528).
Review technote 1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x for the detailed instructions for patch application.
RRDI 5.0 and 5.0.1 and 5.0.2
-
If the Data Collection Component (DCC) or Jazz Reporting Service (JRS, also known as Report Builder) is used, perform this step first.
Review the topics in Security Bulletin: A security vulnerability has been identified in Jazz Team Server shipped with Jazz Reporting Service (CVE-2016-3427) for addressing the listed vulnerability in the underlying Jazz Team Server. -
If the Cognos-based reporting server is used, also perform this step.
Download the IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 16 (Implemented by file 10.2.5010.512).
Review technote 1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x for the detailed instructions for patch application.
Related
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C