SB2024072508 - Multiple vulnerabilities in IBM Cognos Analytics

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2024-28233)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

2) Deserialization of untrusted data (CVE-ID: CVE-2024-27322)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted RDS (R Data Serialization) formatted file to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Cleartext transmission of sensitive information (CVE-ID: CVE-2019-0231)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect handling of close_notify SSL/TLS messages that results in software not closing the connection and retaining the socket opened, which allows a client to receive clear text messages afterward. A remote attacker can intercept traffic between client and server application and gain access to potentially sensitive information.

4) Infinite loop (CVE-ID: CVE-2021-41973)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop while processing HTTP requests. A remote attacker can consume all available system resources and cause denial of service conditions.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7157712