IBM Cognos Analytics Security Update Advisory

Overview

We have released a security update that addresses a vulnerability in IBM Cognos Analytics. Affected product users are advised to update to the latest version.
 

 

Affected Products

• IBM Cognos Analytics Versions: 12.0.0 (inclusive) ~ 12.0.4 (inclusive)
• IBM Cognos Analytics versions: 11.2.0 (inclusive) ~ 11.2.4 FP4 (inclusive)

 

 

Resolved Vulnerabilities

Vulnerability in IBM Cognos Analytics that allows a privileged user to upload a malicious file and have it automatically processed by the system (CVE-2024-40695)

Expression Language injection vulnerability in IBM Cognos Analytics that could result in information disclosure, memory resource consumption, or server crash (CVE-2024-51466)

 

 

Vulnerability Patches

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

• IBM Cognos Analytics 12.0.4 Interim Fix 1
• IBM Cognos Analytics 11.2.4 FP5

 

 

References

[1] Security Bulletin: IBM Cognos Analytics is vulnerable to Malicious File Upload and EL Injection vulnerabilities (CVE-2024-40695, CVE-2024-51466)
https://www.ibm.com/support/pages/node/7179496