IBM Security Bulletin: Multiple Vulnerabilities in IBM Cognos Analytics

This bulletin addresses several security vulnerabilities that are fixed in IBM Cognos Analytics 11.0.11.0. IBM Cognos Analytics consumes Apache POI. Multiple vulnerabilities have been addressed in Apache POI. IBM Cognos Analytics consumes IBM GSKit. Multiple vulnerabilities have been addressed in IBM GSKit. A potential information disclosure vulnerability has been addressed in IBM WAS Liberty that is shipped with IBM Cognos Analytics. A vulnerabiltiy was found in IBM Cognos Business Intelligence Cognos Configuration, whereby, under specialized circumstances, plain text credentials could be exposed to a local user. This has also been addressed in IBM Cognos Analytics. A stored XSS vulnerability has been address which could allow users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVE(s): CVE-2014-9527, CVE-2017-5644, CVE-2016-0702, CVE-2017-1681, CVE-2017-1764, CVE-2018-1413

Affected product(s) and affected version(s):

IBM Cognos Analytics Versions 11.0.0.0 to 11.0.10.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg22016039
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/99799
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/123699
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/111144
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/134003
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/136149
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/138819

The post IBM Security Bulletin: Multiple Vulnerabilities in IBM Cognos Analytics appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2HOMiid