High Severity

Security Bulletin: IBM Cognos Controller has addressed multiple vulnerabilities

Share this post:

This Security Bulletin addresses multiple vulnerabilities that have been remediated in IBM Cognos Controller 10.4.0 IF11, 10.4.1 IF12 and 10.4.2 IF17. There are multiple vulnerabilities in IBM® Runtime Environment Java™ used by IBM Cognos Controller. The applicable CVEs have been addressed by upgrading to IBM® Runtime Environment Java™ Version 8 Service Refresh 6 Fix Pack 15. If you run your own Java code using IBM® Runtime Environment Java™ delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the “IBM Java SDK Security Bulletin”, located in the References section for more information. There are vulnerabilities in IBM WebSphere Application Server Liberty used by IBM Cognos Controller. The applicable CVEs have been addressed by upgrading to IBM WebSphere Application Server Liberty 20.0.0.7. XML External Entity (XXE), Authentication Bypass, External (XXE) and Modification of Assumed-Immutable Data (MAID) vulnerabilities have also been addressed in applicable versions. Please note that IBM Cognos Controller 10.4.2 IF17 also addresses Apache Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. (See References).

CVE(s): CVE-2020-4876, CVE-2020-14577 , CVE-2020-14578 , CVE-2020-14579 , CVE-2020-4329, CVE-2020-4879, CVE-2020-4877, CVE-2019-2962 , CVE-2019-2983 , CVE-2019-2989 , CVE-2019-2992 , CVE-2019-12406, CVE-2020-4875, CVE-2019-4732

Affected product(s) and affected version(s):

IBM Cognos Controller 10.4.2

IBM Cognos Controller 10.4.1

IBM Cognos Controller 10.4.0

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6509856
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/190839
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/185055
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/185056
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/185057
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/177841
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/190847
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/190843
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/169268
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/169289
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/169295
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/169298
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/170974
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/190838
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/172618

More stories

Security Bulletin: PowerVC installation on RHEL is vulnerable to MariaDB with CVE-2021-46669, CVE-2022-24048, MariaDB – 219814, MariaDB – 219815, CVE-2022-24050, CVE-2022-24052

May 27, 2022 | High Severity

Summary guidance: MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_int use-after-free when the BIGINT data type is used and it is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the processing of SQL queries. The specific flaw exists within the processing of SQL queries. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. ...read more