Multiple vulnerabilities in IBM Cognos Controller
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 25 |
| CVE-ID | CVE-2017-10345 CVE-2017-10295 CVE-2017-10281 CVE-2017-10350 CVE-2017-10347 CVE-2017-10349 CVE-2017-10348 CVE-2017-10357 CVE-2017-10355 CVE-2016-9841 CVE-2017-10356 CVE-2017-10388 CVE-2016-9843 CVE-2016-9842 CVE-2016-9840 CVE-2016-10165 CVE-2018-1447 CVE-2016-0705 CVE-2017-3732 CVE-2017-3736 CVE-2018-1428 CVE-2018-1427 CVE-2018-1426 CVE-2016-0702 CVE-2017-1681 |
| CWE-ID | CWE-264 CWE-125 CWE-20 CWE-200 CWE-521 CWE-415 CWE-310 CWE-327 CWE-190 CWE-338 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #9 is available. |
| Vulnerable software |
IBM Cognos Controller Client/Desktop applications / Other client software |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 25 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU8871
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10345
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the Serialization component. A remote attacker can trigger partial denial of service.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU8867
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10295
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to access potentially sensitive information.
The weakness exists due to a flaw in the Javadoc component. A remote attacker can partially modify arbitrary files on the target system.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Denial of service
EUVDB-ID: #VU8863
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10281
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the Serialization component. A remote attacker can trigger partial denial of service on the target system.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper access control
EUVDB-ID: #VU8875
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10350
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the JAX-WS component. A remote attacker can trigger partial denial of service.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Denial of service
EUVDB-ID: #VU8864
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10347
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the Serialization component. A remote attacker can trigger partial denial of service on the target system.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper access control
EUVDB-ID: #VU8874
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10349
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the JAXP component. A remote attacker can trigger partial denial of service.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper access control
EUVDB-ID: #VU8873
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10348
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the Libraries component. A remote attacker can trigger partial denial of service.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper access control
EUVDB-ID: #VU8878
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10357
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the Serialization component. A remote attacker can trigger partial denial of service.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper access control
EUVDB-ID: #VU8876
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2017-10355
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the Networking component. A remote attacker can trigger partial denial of service.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Denial of service
EUVDB-ID: #VU6664
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-9841
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in zlib due to out-of-bounds pointer arithmetic in inftrees.c. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improper access control
EUVDB-ID: #VU9120
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10356
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The weakness exists due to a flaw in the Security component. A remote
attacker can gain unauthorized access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Privilege escalation
EUVDB-ID: #VU8881
Risk: Low
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10388
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges.
The weakness exists due to a flaw in the Libraries component. A remote attacker can escalate his privileges on the target system.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Denial of service
EUVDB-ID: #VU6666
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-9843
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in zlib due to big-endian out-of-bounds pointer. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Denial of service
EUVDB-ID: #VU6665
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-9842
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in zlib due to an undefined left shift of negative number. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Denial of service
EUVDB-ID: #VU6663
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-9840
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in zlib due to out-of-bounds pointer arithmetic in inftrees.c. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Information disclosure
EUVDB-ID: #VU8861
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-10165
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to a flaw in the 2D (Little CMS 2) component. A remote attacker can read arbitrary files on the target system.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Weak passwords requirements
EUVDB-ID: #VU12308
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-1447
CWE-ID:
CWE-521 - Weak Password Requirements
Exploit availability: No
DescriptionThe vulnerability allows a local unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. A local attacker can gain access to potentially sensitive information.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Double free error
EUVDB-ID: #VU1622
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-0705
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to double-free error when parsing DSA private keys. A remote attacker can trigger memory corruption and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Information disclosure
EUVDB-ID: #VU5442
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3732
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to propagating error in the x86_64 Montgomery squaring procedure. A remote attacker with access to unpatched vulnerable system that uses a shared private key with Diffie-Hellman (DH) parameters set can gain unauthorized access to sensitive private key information.
According to vendor’s advisory, this vulnerability is unlikely to be exploited in real-world attacks, as it requires significant resources and online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients.
Vulnerability exploitation against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Carry propagation issue
EUVDB-ID: #VU9109
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3736
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to decrypt data.
The vulnerability exists due to carry propagating bug in the x86_64 Montgomery squaring procedure (bn_sqrx8x_internal). A remote attacker can decrypt encrypted data. The vulnerability affects processors that support the BMI1, BMI2 and ADX extensions like
Intel Broadwell (5th generation) and later or AMD Ryzen.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Use of a broken or risky cryptographic algorithm
EUVDB-ID: #VU12309
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-1428
CWE-ID:
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Exploit availability: No
DescriptionThe vulnerability allows a local unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to IBM GSKit uses weaker than expected cryptographic algorithms. A local attacker can gain access to potentially sensitive information.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Integer overflow
EUVDB-ID: #VU12310
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-1427
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to IBM GSKit contains several environment variables. A local attacker can cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Use of cryptographically weak PRNG
EUVDB-ID: #VU12311
Risk: Low
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-1426
CWE-ID:
CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists due to IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which can result in duplicate Session IDs and a risk of duplicate key material. A remote attacker can gain access to potentially sensitive information and write arbitrary files.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Information disclosure
EUVDB-ID: #VU1962
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-0702
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to decrypt data passed via encrypted SSL connection.
The vulnerability exists in the MOD_EXP_CTIME_COPY_FROM_PREBUF() function in crypto/bn/bn_exp.c. The application does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts.
The vulnerability was dubbed "CacheBleed".
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Information disclosure
EUVDB-ID: #VU10431
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-1681
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists in the web interface of IBM WebSphere Application Server
due to the improper handling of application
requests. A local attacker can send a specially crafted request and obtain unauthorized access to read a file.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Controller: 10.2.0 - 10.3.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cognos_controller:10.3.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
