SB2017112706 - Multiple vulnerabilities in IBM Cognos Controller 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017112706

SB2017112706 - Multiple vulnerabilities in IBM Cognos Controller

Published: November 27, 2017 Updated: February 27, 2025

Security Bulletin ID SB2017112706
Severity
High
Patch available
YES
Number of vulnerabilities 32
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 41% Medium 6% Low 53%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 32 secuirty vulnerabilities.


1) Remote code execution (CVE-ID: CVE-2017-3514)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to unknown error related to the Java SE AWT component. A remote attacker can trick the victim into visiting a specially crafted webpage and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

2) Remote code execution (CVE-ID: CVE-2017-3512)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to unknown error related to the Java SE AWT component. A remote attacker can trick the victim into visiting a specially crafted webpage and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

3) Remote code execution (CVE-ID: CVE-2017-3511)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to unknown error related to the Java SE, Java SE Embedded, JRockit JCE component. A remote attacker can trick the victim into visiting a specially crafted webpage and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

4) Denial of service (CVE-ID: CVE-2017-3526)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted webpage and cause the system to crash.

Successful exploitation of the vulnerability results in denial of service.

5) Security restrictions bypass (CVE-ID: CVE-2017-3509)

The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.

The weakness exists due to unknown error. A remote attacker can read and modify arbitrary files.


6) Security restrictions bypass (CVE-ID: CVE-2017-3544)

The vulnerability allows a remote attacker to modify information on the target system.

The weakness exists due to unknown error related to the Java SE, Java SE Embedded Networking component. A remote attacker can access and modify arbitrary data.


7) Security restrictions bypass (CVE-ID: CVE-2017-3533)

The vulnerability allows a remote attacker to modify information on the target system.

The weakness exists due to unknown error related to the Java SE, Java SE Embedded, JRockit Networking component. A remote attacker can access and modify arbitrary data.


8) Security restrictions bypass (CVE-ID: CVE-2017-3539)

The vulnerability allows a remote attacker to modify information on the target system.

The weakness exists due to unknown error related to the Java SE, Java SE Embedded Security component. A remote attacker can trick the victim into visiting a specially crafted webpage, access and modify arbitrary data.

9) Buffer over-read (CVE-ID: CVE-2017-12899)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to buffer over-read in the DECnet component. A remote attacker can send a specially crafted request and retrieve arbitrary files on the system.

10) Denial of service (CVE-ID: CVE-2016-9840)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in zlib due to out-of-bounds pointer arithmetic in inftrees.c. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

11) Denial of service (CVE-ID: CVE-2016-9841)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in zlib due to out-of-bounds pointer arithmetic in inftrees.c. A remote attacker can cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

12) Denial of service (CVE-ID: CVE-2016-9842)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in zlib due to an undefined left shift of negative number. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

13) Denial of service (CVE-ID: CVE-2016-9843)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in zlib due to big-endian out-of-bounds pointer. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.


14) Arbitrary code execution (CVE-ID: CVE-2017-10125)

The vulnerability allows an attacker with physical access to the system to execute arbitrary code on the target system.

The weakness exists due to unknown error. A remote attacker can execute arbitrary code with elevated privileges and compromise the vulnerable system.

15) Privilege escalation (CVE-ID: CVE-2017-10067)

The vulnerability allows a remote authenticated attacker to gain elevated privileges.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website and gain privileged access to the system.

16) Information disclosure (CVE-ID: CVE-2017-10115)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to unknown error. A remote attacker can disclose important data on the target system

17) Security restrictions bypass (CVE-ID: CVE-2017-10078)

The vulnerability allows a remote attacker to bypass security restrictions.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, bypass security restrictions and disclose and modify important data on the system.

18) Remote code execution (CVE-ID: CVE-2017-10090)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

19) Remote code execution (CVE-ID: CVE-2017-10096)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

20) Remote code execution (CVE-ID: CVE-2017-10101)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

21) Remote code execution (CVE-ID: CVE-2017-10116)

The vulnerability allows a remote authenticated attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

22) Remote code execution (CVE-ID: CVE-2017-10102)

The vulnerability allows a remote authenticated attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

23) Remote code execution (CVE-ID: CVE-2017-10087)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

24) Remote code execution (CVE-ID: CVE-2017-10089)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

25) Remote code execution (CVE-ID: CVE-2017-10107)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.

26) Remote code execution (CVE-ID: CVE-2017-10110)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take control over the affected system.

27) Privilege escalation (CVE-ID: CVE-2017-1376)

The vulnerability allows a remote attacker to gain elevated privileges.

The weakness exists due to a flaw in the IBM J9 VM class verifier. A remote attacker can supply a specially crafted untrusted code to disable the security manager and escalate his privileges on the system.

28) Security restrictions bypass (CVE-ID: CVE-2017-10105)

The vulnerability allows a remote attacker to bypass security restrictions.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, bypass security restrictions and modify arbitrary data on the system.

29) Denial of service (CVE-ID: CVE-2017-10053)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unknown error. A remote attacker can cause the application to crash.

30) Denial of service (CVE-ID: CVE-2017-10108)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unknown error. A remote attacker can cause the application to crash.

31) Denial of service (CVE-ID: CVE-2017-10109)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unknown error. A remote attacker can cause the application to crash.

32) Information disclosure (CVE-ID: CVE-2017-10243)

The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.

The weakness exists due to unknown error. A remote attacker can disclose arbitrary files or cause the application to crash.

Remediation

Install update from vendor's website.

References