SB2022081918 - Multiple vulnerabilities in IBM Cognos Command Center

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2020-14782)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to an error in CertPath implementation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2021-2369)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in JAR validation implementation. A remote attacker can modify the signed JAR file in a way it will be considered as signed.

3) Improper input validation (CVE-ID: CVE-2021-2341)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

4) Code Injection (CVE-ID: CVE-2021-2161)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in the java.lang.ProcessBuilder API on the Windows platform. A remote attacker can manipulate the Process command line and execute arbitrary code on the target system.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cognos-command-center-7/"
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cognos-command-center-7/</a><br>
• https://www.ibm.com/support/pages/node/6491161<br><br></p>