Security Bulletin: A Security Vulnerability exist in IBM Cognos TM1

Summary

A vulnerability has been addressed for PM Hub config exposed via web interface

Vulnerability Details

CVEID: CVE-2016-0381**
DESCRIPTION:** IBM TM1 Cognos is vulnerable to a denial of service, caused by an administrator blanking-out a value called “AdminGroups” in the IBM Cognos Performance Management Hub configuration page at host/pmhub/pm/admin page under the security settings node. Once blanked-out, other users with knowledge of the URL can gain access to the configuration page, enter a non-blank value and prevent further access to the configuration.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112247 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

• IBM Cognos TM1 10.2.2

Remediation/Fixes

The recommended solution is to apply the fix for versions listed as soon as practical.

Cognos TM1 10.2.2 Fix Pack 5

Link: http://www-01.ibm.com/support/docview.wss?uid=swg24041747

Cognos TM1 10.2.2 FP5 IF1

Link: http://www.ibm.com/support/docview.wss?uid=swg24041902