SB2018052909 - Multiple vulnerabilities in IBM Cognos Command Center
Published: May 29, 2018
Security Bulletin ID
SB2018052909
Severity
Low
Patch available
YES
Number of vulnerabilities
7
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2018-2579)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit Libraries component. A remote attacker can partially access data.
2) Security restrictions bypass (CVE-ID: CVE-2018-2602)
The vulnerability allows a local attacker to bypass security restrictions on the target system.The weakness exists due to a flaw in the Java SE, Java SE Embedded I18n component. A local attacker can partially access data, partially modify data, and partially deny service.
3) Security restrictions bypass (CVE-ID: CVE-2018-2603)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit Libraries component. A remote attacker can cause partial denial of service conditions.
4) Privilege escalation (CVE-ID: CVE-2018-2633)
The vulnerability allows a remote attacker to gain elevated privileges.The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit JNDI component. A remote attacker can gain system privileges on the target system.
5) Security restrictions bypass (CVE-ID: CVE-2018-1417)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.The weakness exists due to allowing untrusted code running under a security manager. A remote attacker can gain root privileges.
6) Security restrictions bypass (CVE-ID: CVE-2018-2783)
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Java SE, Java SE Embedded, JRockit accessible data and gain unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data.
7) Privilege escalation (CVE-ID: CVE-2018-2794)
The vulnerability allows a local unauthenticated attacker to gain elevated privileges on the target system.The weakness exists in the Java SE, JRockit component of Oracle Java SE due to improper security restrictions. A local attacker can execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.