Cognos Business Intelligence is vulnerable to a privilege escalation attack that could grant a user the Capabilities of another.
DESCRIPTION: IBM Cognos Business Intelligence could allow a user with lower privilege Capabilities to adopt the Capabilities of a higher-privilege user by intercepting the higher-privilege user's cookie value from its HTTP request and then reusing it in subsequent requests.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118849 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
IBM Cognos Business Intelligence Server 10.2.2
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2
The recommended solution is to apply the fix for versions listed as soon as practical.
Workarounds and Mitigations
Configure the BI Server as follows to avoid the privilege escalation issue:
1. Launch IBM Cognos Configuration
2. Select Local Configuration
3. Select Advanced Properties
4. Add a property with Name="EnableSecureUserCapabilitiesCache" and Value=”true”
5. Save the configuration
6. Restart the Cognos BI Server
This action should be applied for all BI Server installations that could be affected. Any variation of the Cognos BI Server (Gateway, Content Manager, Application Tier) should apply the setting.
In a distributed installation all BI Server instances should apply the setting.
The setting is available in all versions of 10.2.2, 10.2.1, 10.2.1.1, and 10.2.0. It is not available in 10..1.1.
In a distributed installation if any instance is running 10.1.1 or lower, these instances would need to be upgraded to 10.2.0 or higher before the setting can be applied on any of the installations.
A side effect of enabling this setting is that the user may experience the error DPR-ERR-2107 “The User Capabilities Cache cookie cannot be decoded” if her browser session with Cognos remains idle for longer than the Inactivity Timeout, which is one hour by default . It may also be seen the first time the setting is enabled after restarting in any Cognos browser sessions that remained open since the restart.
The DPR-ERR-2017 error can be resolved by clearing the browser's cookies.
The Inactivity Timeout is found in the Configuration tool under Security / Authentication.
Get Notified about Future Security Bulletins
Vulnerability reported to IBM by Mayank Somani.
6 November 2016: Original Version Published
21 November 2016: Added Acknowledgement
21 December 2016: Document updated to meet Security Bulletin guidelines
5 January 2017: Document updated to add Change Log
3 March 2017: Permanent fix available; link provided. Correct platforms and versions for fix.
24 March 2017: Added affected products and versions.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
15 June 2018