IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 213554. The tracked Event ID is 8100 Entity SQL Injection. IBM X-Force ID: 203774.

The tracked Event ID is 8100 Entity SQL Injection. IBM X-Force ID: 203774. In IBM Cognos Analytics 11.2.0, the application returns an anonymous user ID to the web application. This anonymous user ID is stored in an unencrypted cookie which can be accessed by a local privileged user. IBM X-Force ID: 213553.

In IBM Cognos Analytics 11.2.0, the application returns an anonymous user ID to the web application. This anonymous user ID is stored in an unencrypted cookie which can be accessed by a local privileged user. IBM X-Force ID: 213553. The tracked Event ID is 8100 Entity SQL Injection. IBM X-Force ID: 203773.

The tracked Event ID is 8100 Entity SQL Injection. IBM X-Force ID: 203773. In IBM Cognos Analytics 11.2.0, when an administrator creates a new user, the application returns the administrator’s email address (for example, support@example.com) in plain text. The administrator’s email address is stored

IBM Cognos Risk Management and IBM xForce Application Security

In IBM Cognos Analytics 11.1.7, when an administrator creates a new user, the application returns the administrator’s email address (for example, support@example.com) in plain text. The administrator’s email address is stored in cleartext and can be read by a local privileged user with access to the lower privilege database. IBM X-Force ID: 213555.

In IBM Cognos Analytics 11.1.7, when an administrator creates a new user, the application returns the administrator’s email address (for example, support@example.com) in plain text. The administrator’s email address is stored in cleartext and can be read by a local privileged user with access to the lower privilege database. IBM X-Force ID: 213555. In IBM Cognos Analytics 11.2 and earlier versions of IBM Cognos Analytics before 11.2 Patch 01a, if an application database was not password protected using SQL Server Authentication Mode or Windows Authentication Mode and there was no authentication mode configured for web service access (using WSRP), then anyone with access to the lower privilege database could use their own credentials to log into any web service running on that same server as an anonymous user without raising any security alarms or being challenged for credentials by the system while they were logged into that web service as an anonymous user to view data from that web service without raising any security alarms or being challenged for credentials by the system while

IBM Cognos Analytics Information Exposure Scenario

In IBM Cognos Analytics 11.2.0, when an administrator creates a new user, the application returns the administrator’s email address (for example, support@example.com) in plain text. The administrator’s email address is stored in an unencrypted cookie which can be accessed by a local privileged user. IBM X-Force ID: 213553.

Implementation and Verification Steps for DB Auditing

The following steps can be taken to verify the security of an IBM Cognos Analytics 11.2.0 installation:
1. Run the command "wmic" on a Windows machine to determine if the system is vulnerable to CVE-2021-39009.
2. Run the command "wmic" with the "-m" option, which outputs a detailed report about systems running Windows that are vulnerable to CVE-2021-39009:
3. Check for login events using Event Viewer on your IBM Cognos Analytics 11.2.0 server and remove any traces of credentials from MySQL or other sources by performing a data wipe and reviewing any open TCP or UDP ports in use on that server.
4. Deploy WAFs and/or SIEMs capable of monitoring APIs that may be used by IBM Cognos Analytics 11.2.0 to communicate with other services, such as Graphana, for better visibility into potential API vulnerabilities in accordance with PCI DSS requirement 3-9(g).
5. Scan all processes related to database operations and review any plain text credentials stored in those processes in accordance with PCI DSS requirement 3-9(g).
6. Review any third party API's used by IBM Cognos Analytics 11.2.0 for potential vulnerabilities according to PCI DSS requirement 3-9(g).
7. Test database configurations for unauthorized access according to PCI DSS requirements 1-6(c)(viii) through

Timeline

Published on: 09/01/2022 19:15:00 UTC
Last modified on: 09/07/2022 14:20:00 UTC

References