Security Bulletin: IBM Cognos Business Intelligence Server 2016Q1 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities.

Summary

This bulletin addresses several security vulnerabilities.

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 6 and the IBM® Runtime Environment Java™ Technology Edition, Version 7 that are used by IBM Cognos Business Intelligence. These issues were disclosed as part of the IBM Java SDK updates in January 2016.

Security issues were also addressed in LibXML2 and IBM WebSphere Portal (Liberty Profile).

Due to the ending of support for OpenSSL 0.9.8 we have upgraded to OpenSSL 1.0.2e

If you are using IBM Cognos TM1, you should also apply IBM Cognos TM1 Security fixes. This will ensure TM1 and Business Intelligence continue to operate as expected. Please see the Related Information section below.

Vulnerability Details

CVEID: CVE-2015-1819 DESCRIPTION: Libxml is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error in the xmlreader when processing XML data. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base Score: 5.300
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/107272&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-2017 DESCRIPTION: The IBM WebSphere Portal is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/103991&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

CVEID: CVE-2015-5312 DESCRIPTION: An unspecified error in Libxml2 related to an entity expansion flaw has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108319&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-7497 DESCRIPTION: Libxml2 is vulnerable to a denial of service, caused by a heap-based buffer overflow in the xmlDictComputeFastQKey() function. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108320&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7498 DESCRIPTION: An unspecified error in Libxml2 related to the processing of entities after encoding conversion failures have occured has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108321&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-7499 DESCRIPTION: An unspecified error in Libxml2 related to some parser errors has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108322&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-7500 DESCRIPTION: Libxml2 is vulnerable to a denial of service, caused by a memory access error when handling invalid entity boundaries. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108323&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7941 DESCRIPTION: Libxml2 could allow a remote attacker to execute arbitrary code on the system, caused by improper validation when processing XML files. By using a specially-crafted XML file, an attacker could exploit this vulnerability to cause an out of bounds read error allowing the attacker to execute arbitrary code on the system.
CVSS Base Score: 4.300
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/108071&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2015-7942 DESCRIPTION: Libxml2 could allow a remote attacker to execute arbitrary code on the system, caused by improper validation when processing XML files. By using a specially-crafted XML file, an attacker could exploit this vulnerability to cause an out of bounds read error allowing the attacker to execute arbitrary code on the system.
CVSS Base Score: 4.300
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/108073&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2015-8035 DESCRIPTION: libxml2 is vulnerable to a denial of service, caused by an error when xz support is enabled. By using a specially-crafted xml file, an local attacker could exploit this vulnerability to cause the software to crash.
CVSS Base Score: 4.000
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/107845&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-8241 DESCRIPTION: libxml2 is vulnerable to a buffer overflow, caused by improper bounds checking by the XML parser in xmlNextChar. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.900
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/108169&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8242 DESCRIPTION: libxml2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the HTML parser in push mode in xmlSAX2TextNode. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.900
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/108170&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8317 DESCRIPTION: libxml2 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the xmlParseXMLDecl function. By using a malformed XML file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108316&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-0448 DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JMX component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109949&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVEID: CVE-2016-0466 DESCRIPTION: An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the JAXP component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109948&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

• • IBM Cognos Business Intelligence Server 10.2.2
• IBM Cognos Business Intelligence Server 10.2.1.1
• IBM Cognos Business Intelligence Server 10.2.1
• IBM Cognos Business Intelligence Server 10.2
• IBM Cognos Business Intelligence Server 10.1.1
• IBM Cognos Business Intelligence Server 10.1
• IBM Cognos Business Intelligence Server 8.4.1

Remediation/Fixes

The recommended solution is to apply the fix for versions listed as soon as practical.

8.4.1: <http://www-01.ibm.com/support/docview.wss?uid=swg24041797&gt;
10.1.x: <http://www-01.ibm.com/support/docview.wss?uid=swg24041904&gt;
10.2.x: <http://www-01.ibm.com/support/docview.wss?uid=swg24041905&gt;

Workarounds and Mitigations

None known. Apply fixes.