IBM Support

Browser Exploit Against SSL/TLS (a.k.a. BEAST) security vulnerability in Controller

Troubleshooting


Problem

Customer runs security vulnerability software (for example IBM AppScan) against Controller. A 'BEAST' vulnerability is detected.

Symptom

AppScan report:
Browser Exploit Against SSL/TLS (a.k.a. BEAST)
Severity: Medium
CVSS Score: 6.4
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
Causes: The web server or application server are configured in an insecure way
Fix: Change server's supported ciphersuites
Difference:
Reasoning: AppScan determined that the site uses weak cipher suites by successfully creating SSL
connections using each of the weak cipher suites listed above.
[SSLv3/TLS1.0 cipher suites with CBC]

Cause

Defect (APAR PI47785) in Controller 10.2.5110.91 and some earlier versions.

Resolving The Problem

Upgrade to Controller 10.2.5110.95 (also known as 10.2.1 FP1 IF1 GA) or later.

[{"Product":{"code":"SS9S6B","label":"Cognos Controller"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Controller","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.2.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
15 June 2018

UID

swg21965705