IBM has released a critical security update for its Cognos Analytics software, addressing two severe vulnerabilities: CVE-2023-42017 and CVE-2024-51466.
These vulnerabilities could allow attackers to upload malicious files or execute Expression Language (EL) injection attacks, putting sensitive data and system stability at risk. Users are urged to act immediately to secure their systems.
CVE-2023-42017: Malicious File Upload Vulnerability
CVE-2023-42017 arises from the system’s failure to validate uploaded files via the web interface. A privileged user could exploit this weakness to upload harmful executable files, which could then be sent to a victim for further exploitation.
This vulnerability is classified under CWE-434: Unrestricted Upload of File with Dangerous Type. With a CVSS v3.0 base score of 8.0, the flaw is considered high severity.
The risk includes significant compromise to confidentiality, integrity, and availability. Exploitation can occur remotely, requiring minimal attacker effort but with potentially devastating consequences.
CVE-2024-51466: Expression Language Injection Vulnerability
CVE-2024-51466 is an Expression Language (EL) Injection vulnerability that allows a remote attacker to embed malicious EL statements into the system.
Exploiting this flaw could result in the exposure of sensitive information, resource exhaustion, or a server crash.
This vulnerability is classified under CWE-917: Improper Neutralization of Special Elements Used in an Expression Language Statement.
With a CVSS v3.1 base score of 9.0, it is rated as critical. Its attack vector does not depend on direct interaction with the system by the attacker, further increasing its exploitability in networked environments.
Affected Products and Versions
The following versions of IBM Cognos Analytics are affected:
- Versions 12.0.0 to 12.0.4
- Versions 11.2.0 to 11.2.4 FP4
These versions are vulnerable to both flaws, making it imperative for organizations using these systems to apply updates immediately.
IBM has provided fixes to address these vulnerabilities. Users of version 12.0.4 should install Interim Fix 1, while those using version 11.2.4 FP4 should upgrade to FP5.
No workarounds or mitigations are available, so upgrading to the fixed versions is essential.
The emergence of CVE-2023-42017 and CVE-2024-51466 highlights the critical need for organizations to stay vigilant and proactive in maintaining security.
IBM users must prioritize applying the recommended fixes to avoid potential exploitation, ensuring the protection of sensitive data and system stability.
