This bulletin addresses several security vulnerabilities that are fixed in IBM Cognos Analytics 11.0.7.0. There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 7. These issues were disclosed as part of the IBM Java SDK updates in July 2016, October 2016, January 2017 and April 2017. IBM Cognos Analytics uses GSKit. GSKit is vulnerable to Sweet32 Birthday attacks on 64-bit block ciphers in TLS that could allow an attacker to obtain sensitive information. This vulnerability has been addressed. IBM Cognos Analytics has addressed a vulnerability that allows an attacker to read the contents of a local file. IBM Cognos Analytics uses Libxml2. Libxml2 is vulnerable to a denial of service attack which could cause the application to crash. This vulnerability has been addressed. IBM Cognos Analytics has addressed a XSS vulnerability whereby malicious javascript can be loaded and executed. IBM Cognos Analytics has addressed a vulnerability that allows hostile URL to be loaded in an iframe can which users can be directed to without validation. IBM Cognos Analytics has addressed a vulnerability whereby a malicious actor, who is successfully logged in to UMS/Cognos with access to the dashboard, could save a malicious script which later is executed in a user’s browser. This could result in execution of arbitrary code which cannot be controlled by the solution. IBM Cognos Analytics has addressed a vulnerability whereby a user who does not have the ‘Show Detailed Errors’ permission granted can still see the detailed error message in the Dashboard, including internal software details.
CVE(s): CVE-2016-3511, CVE-2016-3598, CVE-2016-3485, CVE-2017-3289, CVE-2017-3272, CVE-2017-3241, CVE-2016-5546, CVE-2017-3253, CVE-2016-5548, CVE-2016-5549, CVE-2017-3252, CVE-2016-5547, CVE-2016-5552, CVE-2017-3261, CVE-2017-3231, CVE-2017-3259, CVE-2017-3511, CVE-2017-3509, CVE-2017-3544, CVE-2017-3533, CVE-2017-3539, CVE-2017-1289, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2016-2183, CVE-2016-5597, CVE-2016-5554, CVE-2016-9710, CVE-2016-9597, CVE-2017-1427, CVE-2017-1428, CVE-2017-1485, CVE-2017-1535
Affected product(s) and affected version(s):
IBM Cognos Analytics Version 11.0.0.0 to 11.0.6.0
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2vxFkTW
X-Force Database: http://ift.tt/2b7Gtgl
X-Force Database: http://ift.tt/2aGcUP3
X-Force Database: http://ift.tt/2b7G65u
X-Force Database: http://ift.tt/2lA6pnI
X-Force Database: http://ift.tt/2msIV19
X-Force Database: http://ift.tt/2lAcror
X-Force Database: http://ift.tt/2lA4akm
X-Force Database: http://ift.tt/2msWpdg
X-Force Database: http://ift.tt/2lAx183
X-Force Database: http://ift.tt/2msD77U
X-Force Database: http://ift.tt/2lAk4Lp
X-Force Database: http://ift.tt/2msBF5I
X-Force Database: http://ift.tt/2lAiqcB
X-Force Database: http://ift.tt/2msOwVj
X-Force Database: http://ift.tt/2lAc9xE
X-Force Database: http://ift.tt/2msIPqs
X-Force Database: http://ift.tt/2pv7JaY
X-Force Database: http://ift.tt/2pvrrn2
X-Force Database: http://ift.tt/2pYfysm
X-Force Database: http://ift.tt/2pv79tT
X-Force Database: http://ift.tt/2pYkfm0
X-Force Database: http://ift.tt/2pvwR1f
X-Force Database: http://ift.tt/2lLwOQm
X-Force Database: http://ift.tt/2mlzP6B
X-Force Database: http://ift.tt/2lLuetu
X-Force Database: http://ift.tt/2mlCjlv
X-Force Database: http://ift.tt/2dR3VyC
X-Force Database: http://ift.tt/2e5pD2s
X-Force Database: http://ift.tt/2eDqzaq
X-Force Database: http://ift.tt/2rfAeN4
X-Force Database: http://ift.tt/2qKCE2O
X-Force Database: http://ift.tt/2vy5g1w
X-Force Database: http://ift.tt/2vfNF35
X-Force Database: http://ift.tt/2vy80Mv
X-Force Database: http://ift.tt/2vfFZy7
The post IBM Security Bulletin: IBM Cognos Analytics is affected by multiple vulnerabilities appeared first on IBM PSIRT Blog.
from IBM Product Security Incident Response Team http://ift.tt/2vxOgbZ
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.