Security Bulletin
Summary
A Number of security vulnerabilities exist in the IBM Cognos Business Intelligence product.
Vulnerability Details
VULNERABILITY DETAILS:
CVEID: CVE-2013-3030 Denial of service attack against servlet gateway
DESCRIPTION:
A malicious user may be send specially crafted HTTP requests to the IBM Cognos Business Intelligence servlet gateway and stop it from accepting further requests for a period of time, effectively causing a denial of service to users of the system.
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84592 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED PRODUCTS AND VERSIONS:
IBM Cognos Business Intelligence 10.2.1 and earlier
REMEDIATION:
Apply the fix appropriate for your platform and version (see below)
Workaround(s) & Mitigation(s):
This only affects installations that use the Servlet gateway.
CVEID: CVE-2013-4002 Apache Xerces-J XML parser Denial of Service attack
DESCRIPTION:
A malicious user that is able to send a specially crafted XML document via an HTTP request to the IBM Cognos Business Intelligence server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85260 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
AFFECTED PRODUCTS AND VERSIONS:
IBM Cognos Business Intelligence 10.2.1 and earlier
REMEDIATION:
Apply the fix appropriate for your platform and version (see below)
Workaround(s) & Mitigation(s):
none
CVEID: CVE-2013-5372 Apache Xerces-J XML parser Denial of Service attack
DESCRIPTION:
A malicious user that is able to send a specially crafted XML document via an HTTP request to the IBM Cognos Business Intelligence server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
AFFECTED PRODUCTS AND VERSIONS:
IBM Cognos Business Intelligence 10.2.1 and earlier
REMEDIATION:
Apply the fix appropriate for your platform and version (see below)
Workaround(s) & Mitigation(s):
none
CVEID: CVE-2013-2407 Unspecified vulnerability in the Java Runtime Environment (JRE) component
DESCRIPTION:
A malicious user that is able to send a XML document with specially crafted Signature data via an HTTP request to the IBM Cognos Business Intelligence server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system.
CVSS Base Score: 6.4
CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/85044 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)
AFFECTED PRODUCTS AND VERSIONS:
IBM Cognos Business Intelligence 10.2.1 and earlier
REMEDIATION:
Apply the fix appropriate for your platform and version (see below)
Workaround(s) & Mitigation(s):
This vulnerability is related to the version of Java shipped with IBM Cognos BI Server on Windows. Java is not included on other platforms. User of other platforms, or Windows users that use a version of Java other than the included version, should contact their Java provider for the equivalent fix.
CVEID: CVE-2013-2450 Unspecified vulnerability in the Java Runtime Environment (JRE) component
DESCRIPTION:
A malicious user that is able to send specially crafted data via an HTTP request to the IBM Cognos Business Intelligence server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system.
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/85057 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED PRODUCTS AND VERSIONS:
IBM Cognos Business Intelligence 10.2.1 and earlier
REMEDIATION:
Apply the fix appropriate for your platform and version (see below)
Workaround(s) & Mitigation(s):
This vulnerability is related to the version of Java shipped with IBM Cognos BI Server on Windows. Java is not included on other platforms. User of other platforms, or Windows users that use a version of Java other than the included version, should contact their Java provider for the equivalent fix.
CVEID: CVE-2013-4034 External XML Entity Attack
DESCRIPTION:
A malicious user that is able to send specially crafted XML data to the IBM Cognos Business Intelligence server may be able to gain unauthorized access to files from the server.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86137 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
AFFECTED PRODUCTS AND VERSIONS:
IBM Cognos Business Intelligence 10.2.1 and earlier
REMEDIATION:
Apply the fix appropriate for your platform and version (see below)
Workaround(s) & Mitigation(s):
none
DOWNLOADS:
Cognos 8 Business Intelligence 8.4.1 Interim Fix 3 for Security Exposure
Cognos Business Intelligence 10.2 and 10.2.1 Interim Fixes for Security Exposure
Cognos Business Intelligence 10.1 Interim Fixes for Security Exposure
Get Notified about Future Security Bulletins
References
Change History
11 November 2013: Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21652590