Hey. Remember the Apache Log4j vulnerabilities that had us scrambling last holiday season? Well…we’ve got some new vulnerabilities this holiday season that we should each assess in terms of potential risk to our organizations. Probably not as pervasive as the Log4j issues of old, but certainly worth evaluating. As is often the case, the vulnerabilities are mostly exploited via third party components used by IBM Cognos Analytics. Here are a few of the higher CVSS base score issues on IBM’s radar that were addressed with base 11.2.4 and Fix Pack 6 for 11.1.7…

9.8 CVSS base score: CVE-2022-36364 Apache Calcite Avatica code execution exposed via flaw in the JDBC driver
7.7 CVSS base score: CVE-2022-25647 Google Gson denial of service
6.5 CVSS base score: CVE-2022-43883 CA log injection attack using URLs from user controlled data
5.3 CVSS base score: CVE-2021-29469 Node.js vulnerable to denial of service via regex input

The full list of vulnerabilities addressed with Cognos Analytics 11.2.4 (base) and 11.1.7 FP6 are CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, and CVE-2022-36364. You should review the complete list on the security bulletin and assess each risk individually for your own environments. Some may be more critical in terms of possible consequences or more probable to be exploited depending on your particular situation. The good news is that the latest release of Cognos Analytics and the latest fix for the 11.1.7 stream address these issues well, fix many meaningful APARs, and add new features to your Cognos environments. Remember, upgrading isn’t just for new features. Make sure to join us for our live 11.2.4 unboxing on January 4th at noon central to learn more about each of these…and our awesome Cognos utility (both free and premium), CogBox.

Below are a few helpful resources to better understand security risks, help manage concerns, and address issues…

Check out IBM’s PSIRT / Security Vulnerability Management site, where you can subscribe to applicable security bulletins and ongoing updates
Check out the current security bulletin issued December 16th, 2022
Check out IBM’s fix site, Fix Central

PMsquare will continue to monitor ongoing vulnerabilities identified and will update our blog as conditions invariably change. Get ready for some upgrading! Or…better yet…have PMsquare do it for you.

Featured

Craig Colangelo

Craig has been in the analytics game since the turn of the century. Who remembers learning RPG and COBOL at school?....sadly, he does. Those early reporting languages sparked an interest in him for reporting and decision support which resulted in 20 years or so of work with IBM Cognos analytics products in various roles. He calls Colorado home and enjoys spending time in the wild…backpacking, climbing, and snowboarding.

Critical Vulnerabilities Addressed with Cognos Analytics 11.2.4 and 11.1.7 FP6