IBM Security Bulletin: IBM Cognos Business Intelligence Server 2016Q4 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities.

This bulletin addresses several security vulnerabilities. There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 6 and the IBM® Runtime Environment Java™ Technology Edition, Version 7 that are used by IBM Cognos Business Intelligence. These issues were disclosed as part of the IBM Java SDK updates. OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM Cognos Business Intelligence. IBM Cognos Business Intelligence has addressed the applicable CVEs. IBM Cognos Business Intelligence has addressed several Libxml2 vulnerabilities. There are multiple vulnerabilities in IBM® WebSphere Application Server Liberty. Liberty is used by IBM Cognos Business Intelligence version 10.2.2. These issues were disclosed as part of the IBM WebSphere Application Server Liberty updates. IBM Cognos Business Intelligence has addressed a vulnerability with Apache CommonsFileUpload affecting IBM Cognos Business Intelligence version 10.2.2 . A cross-side scripting vulnerability is also fixed.

CVE(s): CVE-2016-4483, CVE-2016-2073, CVE-2016-3705, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449, CVE-2015-8806, CVE-2016-5986, CVE-2016-0359, CVE-2016-0218, CVE-2016-6302, CVE-2016-6304, CVE-2016-6305, CVE-2016-6303, CVE-2016-2180, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-2181, CVE-2016-2183, CVE-2016-6309, CVE-2016-7052, CVE-2016-2182, CVE-2016-3498, CVE-2016-3552, CVE-2016-3503, CVE-2016-3092

Affected product(s) and affected version(s):

IBM Cognos Business Intelligence Server 10.2.2

• IBM Cognos Business Intelligence Server 10.2.1.1
• IBM Cognos Business Intelligence Server 10.2.1
• IBM Cognos Business Intelligence Server 10.2
• IBM Cognos Business Intelligence Server 10.1.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2iUSq8S
X-Force Database: http://ift.tt/2cX854V
X-Force Database: http://ift.tt/1PHUv5U
X-Force Database: http://ift.tt/1syye00
X-Force Database: http://ift.tt/29qofDU
X-Force Database: http://ift.tt/29hoGgb
X-Force Database: http://ift.tt/29qou1O
X-Force Database: http://ift.tt/2dmXfFU
X-Force Database: http://ift.tt/2ccJKps
X-Force Database: http://ift.tt/28YBUiZ
X-Force Database: http://ift.tt/2jepPOX
X-Force Database: http://ift.tt/2dR4fNY
X-Force Database: http://ift.tt/2dmY7tO
X-Force Database: http://ift.tt/2dR3XX1
X-Force Database: http://ift.tt/2dmXjFz
X-Force Database: http://ift.tt/2dmWOvf
X-Force Database: http://ift.tt/2aPXjQq
X-Force Database: http://ift.tt/2asKHex
X-Force Database: http://ift.tt/2dR5fBu
X-Force Database: http://ift.tt/2dmYpRr
X-Force Database: http://ift.tt/2dR3Smm
X-Force Database: http://ift.tt/2dmYa8Y
X-Force Database: http://ift.tt/2dmXLUk
X-Force Database: http://ift.tt/2dR3VyC
X-Force Database: http://ift.tt/2fn8D82
X-Force Database: http://ift.tt/2dTp6vD
X-Force Database: http://ift.tt/2dR45pA
X-Force Database: http://ift.tt/2bTqVZ8
X-Force Database: http://ift.tt/2ctoPUY
X-Force Database: http://ift.tt/2bTrbY9
X-Force Database: http://ift.tt/2bozrA8

from IBM Product Security Incident Response Team http://ift.tt/2iUJNLF