Critical Severity

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

Share this post:

Security vulnerabilities have been addressed in IBM Cognos Analytics 11.2.3. These vulnerabilities have also been previously addressed in IBM Cognos Analytics 11.1.7 FP5 where applicable. Multiple Cross-Site Request Forgery vulnerabilities have been addressed (CVE-2020-4301, CVE-2021-20468, CVE-2021-29823). A vulnerability where passwords were being logged in plain text has been addressed (CVE-2021-39009). A vulnerability where a password field had autocomplete enabled has been addressed (CVE-2021-39045). A Denial of Service (DOS) vulnerability via email flooding has been addressed (CVE-2022-30614). An XML Entity Expansion vulnerability has been addressed CVE-2022-36773). The following 3rd party components are used by IBM Cognos Analytics: Node.js glob-parent is a package that helps extracts the non-magic parent path from a glob string (CVE-2020-28469). Chalk ansi-regex is a regular expression for matching ANSI escape codes (CVE-2021-3807). Axios is a promise-based HTTP client for the browser and node.js (CVE-2021-3749). Node.js mpath is a package that gets/sets javascript object values using MongoDB-like path notation (CVE-2021-23438). Node.js netmask is a library that parses and understands IPv4 CIDR blocks so they can be explored and compared (CVE-2021-29418, CVE-2021-28918). Netty is a Java-based non-blocking I/O networking framework (CVE-2021-43797). FasterXML Jackson is a JSON to Java object conversion API (CVE-2020-36518, XFID: 217968). Node.js is an open-source and cross-platform Javascript runtime environment (CVE-2021-44533, CVE-2022-21824, CVE-2021-44531, CVE-2021-44532). Node.js ejs is an embedded JavaScript templating language lets users to generate HTML markup with plain JavaScript (CVE-2022-29078). Node.js nconf is a hierarchical node.js configuration with files, environment variables, command-line arguments, and atomic object merging (CVE-2022-21803). Maven okhttp is an efficient HTTP & HTTP/2 client for Android and Java applications (XFID: 233967).

CVE(s): CVE-2020-4301, CVE-2021-3749, CVE-2020-36518, CVE-2022-29078, CVE-2021-29418, CVE-2021-28918, CVE-2021-39009, CVE-2020-28469, CVE-2021-39045, CVE-2021-43797, CVE-2021-44533, CVE-2022-21824, CVE-2021-44531, CVE-2021-44532, CVE-2021-3807, CVE-2021-29823, CVE-2021-20468, CVE-2021-23438, CVE-2022-21803, CVE-2022-30614, CVE-2022-36773, IBM X-Force ID:   217968

IBM X-Force ID:   233967

Affected product(s) and affected version(s):

IBM Cognos Analytics 11.2.x

IBM Cognos Analytics 11.1.x

 

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6615285
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/176609
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/208438
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/222319
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/225116
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/199130
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/198894
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/213554
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/196451
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/214345
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/215118
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/216932
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/216933
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/216930
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/216931
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/209596
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/204465
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/196825
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/208595
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/224357
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/227591
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/233571

More stories

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in GnuPG [CVE-2022-3515 and CVE-2022-34903]

November 30, 2022 | Critical Severity

IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of GnuPG. [CVE-2022-3515 and CVE-2022-34903] This has been addressed. ...read more


Security Bulletin: IBM Sterling Control Center is vulnerable to remote attack due to Apache Commons Text [CVE-2022-42889]

November 30, 2022 | Critical Severity

Apache Commons Text could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when using the interpolation defaults. IBM Sterling Control Center uses Apache Commons Text and the issue has been addressed. [CVE-2022-42889] ...read more


Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Commons Text [CVE-2022-42889]

November 30, 2022 | Critical Severity

IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Apache Commons Text. [CVE-2022-42889] This has been addressed. ...read more