IBM plugs security leaks in Cognos Controller
IBM has released updates for Cognos Controller and Controller. Among other things, they close high-risk vulnerabilities.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
There are security gaps in the IBM Cognos Controller and IBM Controller business software. The manufacturer is now plugging these with updated packages. IT managers should install them promptly.
In the associated security notice, IBM explains that the software supplied by third-party manufacturers, including open-source components, in particular contains security vulnerabilities. The update closes a total of ten security vulnerabilities. According to IBM, there are no temporary countermeasures to mitigate the vulnerabilities – Updating is therefore mandatory.
Vulnerabilities with high risk
While eight of the vulnerabilities represent a medium threat level, IBM classifies two of them as high risk. Due to insufficient certificate validation, unauthorized users can gain access to protected resources (CVE-2024-40702, CVSS 8.2, risk “high”). IBM does not discuss how malicious actors can abuse this vulnerability and how this could be detected.
Videos by heise
The supplied Axios client is vulnerable to server-side request forgery (SSRF) due to an error in which requests for “path relative” URLs are processed as “protocol relative URLs” (CVE-2024-39338, CVSS 7.5, high).
The versions that fix the vulnerabilities are IBM Controller 11.1.0.1 (download in IBM's “Fix Central”) and IBM Cognos Controller 11.0.1 FP3 (download in IBM's “Fix Central”). These are also available for cloud deployment –. Those affected should open a support case in IBM Support to update.
The last time security vulnerabilities in IBM Cognos Analytics were discovered was in 2022. At that time, attackers were able to infiltrate and execute malicious code through the vulnerabilities. Third-party software was also responsible for the majority of the vulnerabilities back then.
(dmk)
