SB2018071611 - Multiple vulnerabilities in IBM Cognos Insight

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018071611

SB2018071611 - Multiple vulnerabilities in IBM Cognos Insight

Published: July 16, 2018

Security Bulletin ID SB2018071611
Severity
Medium
Patch available
YES
Number of vulnerabilities 14
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 14 secuirty vulnerabilities.


1) Security restrictions bypass (CVE-ID: CVE-2018-2790)

The vulnerability allows a remote unauthenticated attacker to write arbitrary files on the target system.

The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and update, insert or delete some of Java SE, Java SE Embedded accessible data.

2) Security restrictions bypass (CVE-ID: CVE-2018-2783)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Java SE, Java SE Embedded, JRockit accessible data and gain unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data.

3) Security restrictions bypass (CVE-ID: CVE-2018-2797)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can partially cause the service to crash.

4) Security restrictions bypass (CVE-ID: CVE-2018-2796)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can partially cause the service to crash.

5) Security restrictions bypass (CVE-ID: CVE-2018-2795)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can partially cause the service to crash.

6) Security restrictions bypass (CVE-ID: CVE-2018-2637)

The vulnerability allows a local attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit JMX component. A remote attacker can access and modify data.

7) Information disclosure (CVE-ID: CVE-2018-2634)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to a flaw in the Java SE, Java SE Embedded JGSS component. A remote attacker can access data.

8) Security restrictions bypass (CVE-ID: CVE-2018-2603)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit Libraries component. A remote attacker can cause partial denial of service conditions.

9) Security restrictions bypass (CVE-ID: CVE-2018-2602)

The vulnerability allows a local attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Java SE, Java SE Embedded I18n component. A local attacker can partially access data, partially modify data, and partially deny service.

10) Denial of service (CVE-ID: CVE-2018-2663)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit Libraries component. A remote attacker can cause partial denial of service conditions.

11) Improper authentication (CVE-ID: CVE-2018-0733)

The vulnerability allows a remote attacker to modify potentially sensitive information on the target system.

Th weakness exists in the PA-RISC CRYPTO_memcmp function due to improper authentication. A remote attacker can write arbitrary data.

12) Resource exhaustion (CVE-ID: CVE-2018-0739)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to excessive stack memory consumption. A remote attacker can cause the service to crash.

13) Carry propagation issue (CVE-ID: CVE-2017-3736)

The vulnerability allows a remote attacker to decrypt data.

The vulnerability exists due to carry propagating bug in the x86_64 Montgomery squaring procedure (bn_sqrx8x_internal). A remote attacker can decrypt encrypted data. The vulnerability affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.

14) Out-of-bounds read (CVE-ID: CVE-2017-3735)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to one-byte out-of-bounds read when parsing an IPAddressFamily extension in an X.509 certificate. A remote attacker can disguise text display of the certificate.


Remediation

Install update from vendor's website.

References