Security Bulletin: IBM Cognos BI 8.4 Partial Denial of Service Vulnerability

Abstract

A malicious IBM Cognos BI 8.4 user is able to send a crafted request to the Cognos server which triggers high CPU utilization that may cause a partial denial of service condition due to CPU consumption. This vulnerability can only be exploited by authenticated users, and is not applicable to IBM Cognos BI 10.1 and later versions.

Content

DESCRIPTION: The partial denial of service condition is temporary and does not block other users from accessing the Cognos application.

CVE ID: CVE-2012-4847

CVSS: 4

AFFECTED PLATFORMS: IBM Cognos BI version 8.4 and 8.4.1

REMEDIATION: Upgrade to IBM BI version 10.1 or later.

WORKAROUND: Disable anonymous access to prevent unauthenticated users to access the vulnerable URL.

ACKNOWLEDGEMENT: This vulnerability was reported to IBM by Niv Sela, Hacktics ASC, Ernst & Young.

[{“Product”:{“code”:“SSEP7J”,“label”:“Cognos Business Intelligence”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“–”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“8.4;8.4.1”,“Edition”:“”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}}]