This bulletin addresses several security vulnerabilities. There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 6 and the IBM® Runtime Environment Java™ Technology Edition, Version 7 that are used by IBM Cognos Business Intelligence. These issues were disclosed as part of the IBM Java SDK updates in October 2016 and January 2017. IBM Cognos Business Intelligence has addressed a vulnerability caused by an XML External Entity Injection (XXE) error when processing XML data. A remote authenticated attacker could exploit this vulnerability to consume all available CPU resources and cause a denial of service. IBM Cognos Business Intelligence 10.2.2 uses GSKit. GSKit is vulnerable to Sweet32 Birthday attacks on 64-bit block ciphers in TLS that could allow an attacker to obtain sensitive information. This vulnerability has been addressed. IBM Cognos Business Intelligence has addressed a vulnerability where a user can craft a URL which confirms the existence of, and exposes partial contents of a file in the server’s installation. IBM Cognos Business Intelligence has addressed a vulnerability that allows an attacker to read the contents of a local file. IBM Cognos Business Intelligence uses Libxml2. Libxml2 is vulnerable to a denial of service attack which could cause the application to crash. This vulnerability has been addressed. IBM Cognos Business Intelligence has addressed several vulnerabilities that exist in Open Source OpenSSL. This vulnerability only affects versions 10.1.1, 10.2.1, 10.2.1.1. and 10.2.1.
CVE(s): CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2016-5554, CVE-2016-5597, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3261, CVE-2017-3289, CVE-2017-3272, CVE-2016-0254, CVE-2016-2183, CVE-2016-7055, CVE-2016-9597, CVE-2016-9710, CVE-2017-1125, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732
Affected product(s) and affected version(s):
IBM Cognos Business Intelligence Server 10.2.2
IBM Cognos Business Intelligence Server 10.2.1.1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.2.0
IBM Cognos Business Intelligence Server 10.1.1
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2qKkHS7
X-Force Database: http://ift.tt/2lA4akm
X-Force Database: http://ift.tt/2msBF5I
X-Force Database: http://ift.tt/2lAx183
X-Force Database: http://ift.tt/2msD77U
X-Force Database: http://ift.tt/2lAiqcB
X-Force Database: http://ift.tt/2eDqzaq
X-Force Database: http://ift.tt/2e5pD2s
X-Force Database: http://ift.tt/2lAc9xE
X-Force Database: http://ift.tt/2lAcror
X-Force Database: http://ift.tt/2lAk4Lp
X-Force Database: http://ift.tt/2msWpdg
X-Force Database: http://ift.tt/2msIPqs
X-Force Database: http://ift.tt/2msOwVj
X-Force Database: http://ift.tt/2lA6pnI
X-Force Database: http://ift.tt/2msIV19
X-Force Database: http://ift.tt/2rfzTtC
X-Force Database: http://ift.tt/2dR3VyC
X-Force Database: http://ift.tt/2hjUUfe
X-Force Database: http://ift.tt/2qKCE2O
X-Force Database: http://ift.tt/2rfAeN4
X-Force Database: http://ift.tt/2qKqXt7
X-Force Database: http://ift.tt/2kDB4yh
X-Force Database: http://ift.tt/2knsB3D
X-Force Database: http://ift.tt/2kDymIW
The post IBM Security Bulletin: IBM Cognos Business Intelligence Server 2017Q2 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. appeared first on IBM PSIRT Blog.
from IBM Product Security Incident Response Team http://ift.tt/2qKnTwL
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.