IBM960C1E7C4AC187604EBA8C42C15A42B25BC450DF6136A0690D2DE71959EE900FSecurity Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2020-7789, CVE-2020-7598, CVE-2021-44906 , XFID: 216835, XFID: 220063)
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.035 Low
EPSS
Percentile
91.6%
Summary
Security vulnerabilities have been addressed in IBM Cognos Analytics 11.2.4 FP1 These vulnerabilities have also been previously addressed in IBM Cognos Analytics 11.1.7 FP6 where applicable. The following 3rd party components are used by IBM Cognos Analytics: Apache Lucene is a high-performance, full-featured text search engine library (XFID: 216835) Node-notifier is a node.js module for sending cross platform native notifications (CVE-2020-7789). Node-minimist is an argument parser for Node.js (CVE-2020-7598, CVE-2021-44906). Node.js unset-value is a Node.js module that deletes nested properties from an object using dot notation (XFID: 220063). IBM Cognos Analytics is affected but not classified as vulnerable to an Authentication Bypass vulnerability in Apache Shiro (CVE-2022-40664). IBM Cognos Analytics 11.2.4 FP1 has upgraded Apache Shiro to version 1.11.0.
Vulnerability Details
CVEID:CVE-2020-7789
**DESCRIPTION:**node-notifier could allow a remote attacker to execute arbitrary commands on the system, caused by improper sanitization of options params. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193001 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2020-7598
**DESCRIPTION:**minimist could provide weaker than expected security, caused by a prototype pollution flaw. By sending a specially crafted request, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177780 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2021-44906
**DESCRIPTION:**Node.js Minimist module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in setKey() function in the index.js script. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
**IBM X-Force ID:**216835
**DESCRIPTION:**Apache Lucene is vulnerable to a denial of service. By sending a specific regular expression query, a remote attacker could exploit this vulnerability to consume all available CPU resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216835 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
**IBM X-Force ID:**220063
**DESCRIPTION:**Node.js unset-value module is vulnerable to a denial of service, caused by a prototype pollution flaw in the unset function in index.js. By adding or modifying properties of Object.prototype using a proto or constructor payload, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220063 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Cognos Analytics | 11.2.x |
| IBM Cognos Analytics | 11.1.x |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading.
| **Product(s) ** | **Version(s) ** | **Remediation/Fix/Instructions ** |
|---|---|---|
| IBM Cognos Analytics |
11.2.x
|
Downloading IBM Cognos Analytics 11.2.4 FP1
IBM Cognos Analytics|
11.1.x
|
IBM Cognos Analytics 11.1.7 Fix Pack 6
This Security Bulletin is applicable to IBM Cognos Analytics 11.2.4 FP1 (On-Prem).
Remediation for IBM Cognos Analytics on Cloud 11.2.4 On-Demand (multi-tenant) will be completed during the next scheduled maintenance weekend.
IBM Cognos Analytics Cloud Hosted (Dedicated) customers can begin coordinating upgrades to IBM Cognos Analytics 11.2.4 FP1. Please contact IBM Support to schedule an upgrade.
Workarounds and Mitigations
None
Affected configurations
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.035 Low
EPSS
Percentile
91.6%