Security Bulletin
Summary
Cognos Analytics is vulnerable to a privilege escalation attack that could grant a user the Capabilities of another.
Vulnerability Details
CVEID: CVE-2016-8960
DESCRIPTION: IBM Cognos Business Intelligence could allow a user with lower privilege Capabilities to adopt the Capabilities of a higher-privilege user by intercepting the higher-privilege user's cookie value from its HTTP request and then reusing it in subsequent requests.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118849 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
IBM Cognos Analytics 11.0.0.0 to 11.0.5.0.
Remediation/Fixes
Workarounds and Mitigations
There is a product setting which can be used to eliminate this vulnerability for the CA Server as follows:
1. Launch IBM Cognos Configuration
2. Select Local Configuration
3. Select Advanced Properties
4. Add a property with Name="EnableSecureUserCapabilitiesCache" and Value=”true”
5. Save the configuration
6. Restart the Cognos CA Server
In a distributed installation all CA Server instances should apply the setting.
A side effect of enabling this setting is that the user may experience the error DPR-ERR-2107 “The User Capabilities Cache cookie cannot be decoded” if her browser session with Cognos remains idle for longer than the Inactivity Timeout, which is one hour by default . It may also be seen the first time the setting is enabled after restarting in any Cognos browser sessions that remained open since the restart.
The DPR-ERR-2017 error can be resolved by clearing the browser's cookies.
The Inactivity Timeout is found in the Configuration tool under Security / Authentication.
Get Notified about Future Security Bulletins
References
Acknowledgement
Vulnerability reported to IBM by Mayank Somani.
Change History
6 November 2016: Original Version Published
21 November 2016: Added Acknowledgement
21 December 2016: Document updated to meet Security Bulletin guidelines
5 January 2017: Document updated to add Change Log
28 March 2017: Permanent fix available; link provided.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21993720