6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.127 Low
EPSS
Percentile
95.5%
Apache Log4j is used by IBM Cognos Controller as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j vulnerabilities (CVE-2022-23305, CVE-2022-23302, CVE-2021-4104). Although IBM Cognos Controller is not vulnerable to the listed CVEs, all instances of Apache Log4j v1.x were proactively upgraded to Apache Log4j v2.17.1 for the IBM Cognos Controller 10.4.2 and 10.4.1 streams.
CVEID:CVE-2022-23305
**DESCRIPTION:**Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2022-23302
**DESCRIPTION:**Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2021-4104
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
IBM Cognos Controller 10.4.2
IBM Cognos Controller 10.4.1
IBM Cognos Controller 10.4.0
If you have the listed affected version, it is strongly recommended that you apply the most recent security update:
Affected Version | Fix Version |
---|---|
IBM Cognos Controller 10.4.2 | IBM Cognos Controller 10.4.2 FP1 |
IBM Cognos Controller 10.4.1 | IBM Cognos Controller 10.4.1 IF14 |
IBM Cognos Controller 10.4.0 | IBM Cognos Controller 10.4.2 FP1 |
**
IBM Cognos Controller Cloud**
Remediation for IBM Cognos Controller 10.4.2 Cloud environments has completed and no further action is required.
Remediation for IBM Cognos Controller 10.4.1 Cloud environments will be completed during the next scheduled maintenance weekend.
None
CPE | Name | Operator | Version |
---|---|---|---|
cognos controller | eq | 10.4.2 | |
cognos controller | eq | 10.4.1 | |
cognos controller | eq | 10.4.0 |
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.127 Low
EPSS
Percentile
95.5%