Security Bulletin
Summary
Cognos Analytics is vulnerable to a XSS attack when executing a report.
Vulnerability Details
CVEID: CVE-2016-3032
DESCRIPTION: IBM Cognos Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114516 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
IBM Cognos Analytics 11.0.0.0 and later.
Remediation/Fixes
None
Workarounds and Mitigations
Reports containing Hyperlinks or Hyperlink Buttons (HTML Items) can be created by report authors and executed by users. Malicious scripts can be inserted into these items, creating an XSS vulnerability when the report is executed. The ability to add HTML Items is enabled by default but can be disabled using the steps below.
In the Authoring perspective, the Hyperlink object can be found in the Tools tab under the Textual items. This is also relevant to the HTML item in the Tools -> Advanced section.
Executing the report with any account will allow the report to run and select the Hyperlink. Users could also see the links when opening a saved report that was executed by a different user.
Resolving the issue:
Disabling the Capability to execute reports with embedded HTML in Cognos Analytics reports can be accomplished in two ways: globally and on an object (folder or package) level.
Note: You cannot deny Capabilities or other permissions to System Administrators.
1 - Globally:
As a System Administrator user enter the Administration console.
Go to the Security tab and select Capabilities -> Report Studio to expand the selections.
Click the arrow for 'HTML Items in Report' and select ‘Set properties’.
Disable access to this capability by selecting the checkbox for ‘Override the access permissions acquired from the parent entry’ then select the User/Group/Roles and remove the Grant. You can also select the Deny checkbox.
2 - Remove at a folder or package level via the following method. Requires Write access.
Go to the properties of the containing Package or Report and select the Capabilities tab. Then click Set…
Select the User/Groups or Roles you want to deny access to the HTML Item in Report. Select Deny in the Capabilities list for the HTML Item in Report Capability.
The Result:
Restricted Users will return an error when executing a report with an HTML/Hyperlink item.
“RSV-SVR-0031 The user does not have the assigned capability to use the ‘hyperlink’ layout element.
Get Notified about Future Security Bulletins
References
Acknowledgement
This vulnerability was reported to IBM by Mohit Rawat and Sagar Pasrija.
Change History
25 April 2017: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21999791