IBM Cognos Analytics 11.1.1 < 11.1.7 FP8 / 11.2.x < 11.2.4 FP3 / 12.0.x < 12.0.2 (7123154)

critical Nessus Plugin ID 193868

Synopsis

The remote host is missing a security update.

Description

The version of IBM Cognos Analytics installed on the remote host is prior to 11.1.7 FP8, 11.2.4 FP3, or 12.0.2. It is, therefore, affected by multiple vulnerabilities as referenced in the IBM Security Bulletin No. 7123154, including the following:

- When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue. (CVE-2023-39410)

- In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). (CVE-2021-3711)

- SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. (CVE-2022-1471)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to IBM Cognos Analytics version 11.1.7 FP8 / 11.2.4 FP3 / 12.0.2 or later.

See Also

https://www.ibm.com/support/pages/node/7123154

Plugin Details

Severity: Critical

ID: 193868

File Name: ibm_cognos_7123154.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 4/25/2024

Updated: 12/18/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-44906

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2023-26136

Vulnerability Information

CPE: cpe:/a:ibm:cognos_analytics

Required KB Items: installed_sw/IBM Cognos Analytics

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/23/2024

Vulnerability Publication Date: 2/23/2024

CISA Known Exploited Vulnerability Due Dates: 10/31/2023

Reference Information

CVE: CVE-2012-5784, CVE-2014-3596, CVE-2018-8032, CVE-2019-0227, CVE-2019-1547, CVE-2020-1971, CVE-2020-28458, CVE-2021-23445, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841, CVE-2021-28167, CVE-2021-31684, CVE-2021-3449, CVE-2021-35550, CVE-2021-35556, CVE-2021-35559, CVE-2021-35560, CVE-2021-35564, CVE-2021-35565, CVE-2021-35578, CVE-2021-35586, CVE-2021-35588, CVE-2021-35603, CVE-2021-3572, CVE-2021-3711, CVE-2021-3712, CVE-2021-41035, CVE-2021-4160, CVE-2021-43138, CVE-2021-44906, CVE-2022-0778, CVE-2022-1471, CVE-2022-2097, CVE-2022-21299, CVE-2022-21434, CVE-2022-21443, CVE-2022-21496, CVE-2022-34169, CVE-2022-34357, CVE-2022-40897, CVE-2022-41854, CVE-2023-0215, CVE-2023-0464, CVE-2023-1370, CVE-2023-21930, CVE-2023-21937, CVE-2023-21938, CVE-2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21968, CVE-2023-22049, CVE-2023-2597, CVE-2023-26115, CVE-2023-26136, CVE-2023-30588, CVE-2023-30589, CVE-2023-30996, CVE-2023-32344, CVE-2023-36478, CVE-2023-3817, CVE-2023-38359, CVE-2023-39410, CVE-2023-43051, CVE-2023-44487, CVE-2023-45857

IAVB: 2024-B-0046-S