Security Bulletin: IBM Cognos Analytics has addressed security vulnerabilities in JupyterHub, R Programming Language and Apache MINA (CVE-2024-28233, CVE-2024-27322, CVE-2019-0231, CVE-2021-41973)

Summary

IBM Cognos Analytics is vulnerable to a cross-site scripting vulnerability (XSS) in JupyterHub and remote code execution (RCE) vulnerability in R Programming Language which is used by Jupyter Notebook. IBM Cognos Analytics has addressed a Denial of Service (DOS) vulnerability and an Information Disclosure vulnerability in Apache MINA. IBM Cognos Analytics has addressed the applicable CVEs by upgrading the vulnerable libraries. Please refer to the Related Information section below for vulnerability impact. This Security Bulletin relates only to the direct usage of third-party components by IBM Cognos Analytics and not any nested dependencies within the product.

Vulnerability Details

CVEID:CVE-2024-28233
**DESCRIPTION:**JupyterHub is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 9.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286522 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

CVEID:CVE-2019-0231
**DESCRIPTION:**Apache MINA could allow a remote attacker to obtain sensitive information, caused by the improper handling of the close_notify SSL/TLS message in the SSLFilter. By sending a specially-crafted request, an attacker could exploit this vulnerability to receive clear-text messages and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159470 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2021-41973
**DESCRIPTION:**Apache MINA is vulnerable to a denial of service, caused by a flaw in the HTTP Header decoder. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to cause the HTTP Header decoder to loop indefinitely, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212552 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-27322
**DESCRIPTION:**R Programming Language could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By persuading a victim to open a specially crafted .rds or .rdx file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289561 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

12.0.0-12.0.3

|

Downloading IBM Cognos Analytics 12.0.3 IF1

IBM Cognos Analytics|

11.2.0-11.2.4 FP3

|

IBM Cognos Analytics 11.2.4 FP4

Workarounds and Mitigations

None