Security Bulletin: Privilege Escalation vulnerability affects Cognos Analytics (CVE-2016-8960)

Summary

Cognos Analytics is vulnerable to a privilege escalation attack that could grant a user the Capabilities of another.

Vulnerability Details

CVEID: CVE-2016-8960**
DESCRIPTION:** IBM Cognos Business Intelligence could allow a user with lower privilege Capabilities to adopt the Capabilities of a higher-privilege user by intercepting the higher-privilege user’s cookie value from its HTTP request and then reusing it in subsequent requests.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118849 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM Cognos Analytics 11.0.0.0 to 11.0.5.0.

Remediation/Fixes

http://www.ibm.com/support/docview.wss?uid=swg24043412

Workarounds and Mitigations

There is a product setting which can be used to eliminate this vulnerability for the CA Server as follows:
1. Launch IBM Cognos Configuration
2. Select Local Configuration
3. Select Advanced Properties
4. Add a property with Name=“EnableSecureUserCapabilitiesCache” and Value=”true”
5. Save the configuration
6. Restart the Cognos CA Server

In a distributed installation all CA Server instances should apply the setting.

A side effect of enabling this setting is that the user may experience the error DPR-ERR-2107 “The User Capabilities Cache cookie cannot be decoded” if her browser session with Cognos remains idle for longer than the Inactivity Timeout, which is one hour by default . It may also be seen the first time the setting is enabled after restarting in any Cognos browser sessions that remained open since the restart.

The DPR-ERR-2017 error can be resolved by clearing the browser’s cookies.

The Inactivity Timeout is found in the Configuration tool under Security / Authentication.