IBM reports multiple flaws in Cognos Analytics, at least one critical
Take action: First, make sure your IBM Cogonos is isolated from the internet unless it's absolutely necessary. Then plan a quick patch cycle, the flaws are critical but still require authenticated access so you have a bit of time. Just don't ignore the flaws.
Learn More
IBM Cognos Analytics is reporting two security flaws that could potentially compromise systems.
Vulnerability summary
- CVE-2024-51466 (CVSS score 9) - An Expression Language (EL) Injection vulnerability. This flaw could allow remote attackers to exploit specially crafted EL statements to expose sensitive information, consume memory resources, and potentially cause server crashes.
- CVE-2024-40695 (CVSS score 8) - A Malicious File Upload vulnerability This flaw exists due to insufficient validation of file content uploaded to the web interface. Attackers can exploit this weakness to upload malicious executable files into the system, which can then be used for further attacks against victims.
The following IBM Cognos Analytics versions are affected:
- IBM Cognos Analytics 12.0.0 - 12.0.4
- IBM Cognos Analytics 11.2.0 - 11.2.4 FP4
IBM strongly recommends addressing these vulnerabilities immediately by upgrading to the following patched versions:
- For versions 12.0.0 - 12.0.4: Upgrade to IBM Cognos Analytics 12.0.4 Interim Fix 1
- For versions 11.2.0 - 11.2.4 FP4: Upgrade to IBM Cognos Analytics 11.2.4 FP5
There are no workarounds or mitigations available for these vulnerabilities, making the upgrade to the latest secure versions essential.
