Security Bulletin: IBM Cognos Command Center has addressed vulnerabilities IBM® Semeru Java™ Version 11, Apache ActiveMQ and Microsoft .Net MVC Framework for ASP.Net

Summary

There are vulnerabilities in IBM® Semeru Java™ Version 11, Apache ActiveMQ and Microsoft .Net MVC Framework for ASP.Net used by IBM Cognos Command Center. IBM Cognos Command Center 10.2.5 IF1 has addressed the applicable CVEs by upgrading to non-vulnerable versions of these libraries. Please refer to the table in the Related Information section for vulnerability impact.

Vulnerability Details

CVEID:CVE-2023-46604
**DESCRIPTION:**Apache ActiveMQ and ActiveMQ Legacy OpenWire Module could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the class types in the OpenWire protocol. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269795 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H)

CVEID:CVE-2023-50324
**DESCRIPTION:**IBM Cognos Command Center exposes details the X-AspNet-Version Response Header that could allow an attacker to obtain information of the application environment to conduct further attacks.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275038 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2010-2084
**DESCRIPTION:**Microsoft ASP.NET is vulnerable to cross-site scripting. Setting the InnerHtml property on a control that inherits from HtmlContainerControl is not prevented. A remote attacker could exploit this vulnerability using vectors related to an attribute to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/59055 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2023-22081
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity impact, and low availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268929 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-5676
**DESCRIPTION:**Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271615 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

IBM Cognos Command Center Cloud environments have been updated.

Workarounds and Mitigations

None