CVE-2022-22965 & CVE-2022-22963
Origina has been working with our Global IBM Experts and partners to analyze both CVE-2022-22965 & CVE-2022-22963 (Spring4Shell) critical vulnerabilities to determine if this vulnerability impacts IBM products.
Based on our investigations of the IBM product portfolio, at time of article publication, we have identified Cognos as the main product which could potentially be impacted by these vulnerabilities.
Note: It may be possible for users to introduce the vulnerability through the implementation of custom code and/or configuration.
Guidance has been provided below on how to investigate the likelihood of being impacted by these vulnerabilities and mitigate within Cognos.
It is highly recommended that all the mitigation actions presented below are first tested within a non-prod / test environment to ensure there is no unintentional impact to intended Cognos operations before deployment into your production environment.
If you feel you are exposed to these vulnerabilities and / or require support in the planning or conduct of the mitigation actions, please reach out to the Origina support team at the contact details below:
If you are an Origina customer, please log a ticket at firstname.lastname@example.org or through the Self-Service Portal.
If you are not an Origina customer, please call a member of our sales team:
Dublin: + 353 (1) 524 0012
London: +44 2033 183790
Potentially impacted Cognos version(s):
Cognos BI version 8xx and Cognos Analytics version 10.0/10.1 included Apache Tomcat as an embedded Java servlet and Cognos 10 uses Java 9 as an ‘out of the box’ configuration.
NIST (National Institute of Standards and Technology) Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of this vulnerability is more general, and there may be other ways to exploit it.
To determine if there is a likelihood you are exposed to these vulnerabilities, first verify utilized versions and configurations of Cognos deployed within your environments.
According to Spring, to exploit the vulnerability, there are several required prerequisites within the target environment:
To verify if Cognos is using Java (JDK) 9 or greater, undertake one or more of the following methods:
Method 1 – Using Command:
If you are aware of the Java home directory that is being used, use the command “java -version” to find the exact version for Java.
Method 2 – From Cognos Configuration:
Method 3 – From Logs:
NIST Description: In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression that may result in remote code execution and access to local resources.
Spring Cloud Versions Impacted:
Origina continues to investigate this vulnerability and its potential impact, if any, to IBM products. If you are a current Origina customer and have any particular concerns and/or questions on if this vulnerability impacts your IBM implementation, then please reach out to Origina at email@example.com or through the Self-Service Portal.
If you are not a current customer and require support, please call a member of our sales team:
DUBLIN: + 353 (1) 524 0012
LONDON: +44 2033 183790
Gain insight into industry-only news, access to webinars, tips and tricks, blog posts, podcasts, and guides, surrounding topics like cybersecurity, reducing software support and maintenance costs and much more, all delivered to your inbox each month.LEARN MORE