Question & Answer
Question
Is the Apache Tomcat component used by IBM Cognos Business Intelligenvce vulnerable to CVE-2013-2067 CVE-2012-5887 CVE-2012-5886 CVE-2012-5885 CVE-2012-4534 CVE-2012-4431 CVE-2012-3546 CVE-2012-2733 CVE-2011-5064 CVE-2011-5063 CVE-2011-5062 CVE-2011-3190 CVE-2011-2526 CVE-2011-2204 CVE-2011-1184 CVE-2011-0534 CVE-2011-0013 CVE-2010-4312 CVE-2010-4172 CVE-2010-3718 CVE-2010-2227 CVE-2010-1157 CVE-2009-3548 CVE-2009-2902 CVE-2009-2901 CVE-2009-2693 CVE-2009-0783 CVE-2009-0781 CVE-2009-0580 CVE-2009-0033 CVE-2008-5519 CVE-2008-5515 CVE-2008-2938 CVE-2008-2370 CVE-2008-1947 CVE-2008-1232 CVE-2007-6286 CVE-2007-5461 CVE-2007-5342 CVE-2007-5333 CVE-2007-3386 CVE-2007-3385 CVE-2007-3382 CVE-2007-2450 CVE-2007-2449 CVE-2007-1860 CVE-2007-1355 CVE-2007-0450 ?
Answer
The Apache Tomcat component used by IBM Cognos 10 BI is not vulnerable to these issues.
See individual answers bellow:
| CVE-2013-2067 | The Tomcat component is configured not to use the FORM authenticator. |
| CVE-2012-5887 | The Tomcat component is configured not to use 'Digest' authentication. |
| CVE-2012-5886 | The Tomcat component is configured not to use 'Digest' authentication. |
| CVE-2012-5885 | The Tomcat component is configured not to use 'Digest' authentication. |
| CVE-2012-4534 | The Tomcat component is configured not to use the NIO connector. |
| CVE-2012-4431 | The Cognos product uses its own CSRF protection |
| CVE-2012-3546 | The Tomcat component is configured not to use the FORM authenticator. |
| CVE-2012-2733 | The Tomcat component is configured to use the classic HTTP connector, and not the NIO connector |
| CVE-2011-5064 | The Tomcat component is configured not to use 'Digest' authentication. |
| CVE-2011-5063 | The Tomcat component is configured not to use 'Digest' authentication. |
| CVE-2011-5062 | The Tomcat component is configured not to use 'Digest' authentication. |
| CVE-2011-3190 | The Tomcat component is configured to use the classic HTTP connector, and none of the AJP connectors |
| CVE-2011-2526 | The Tomcat component is configured to use the classic HTTP connector, and not the APR nor the NIO connector |
| CVE-2011-2204 | The Tomcat remote management components (such as Tomcat Manager) are not deployed, and no Tomcat user accounts are stored in memory. |
| CVE-2011-1184 | The Tomcat component is configured not to use 'Digest' authentication. |
| CVE-2011-0534 | The Tomcat component is configured to use the classic HTTP connector, and not the NIO connector. |
| CVE-2011-0013 | The Tomcat remote management components (such as Tomcat Manager) are not deployed. |
| CVE-2010-4312 | The default Tomcat session management is not used, and the Cognos product implements its own session management. |
| CVE-2010-4172 | The Tomcat remote management components (such as Tomcat Manager) are not deployed. |
| CVE-2010-3718 | This vulnerability only applies to shared application hosting environments. The Tomcat component is used solely with the Cognos product, no other untrusted web applications are deployed. |
| CVE-2010-2227 | This vulnerability can only be exploited by sending a direct request to Tomcat with a non-standard value for the "Transfer-Encoding" HTTP header. Microsoft IIS and Apache HTTP server gateways do not handle headers with this non-standard value and gracefully return an error. |
| CVE-2010-1157 | The Tomcat component is configured not to use BASIC or DIGEST authentication. |
| CVE-2009-3548 | The Tomcat component is not installed by the default installer, and the Tomcat remote management components (such as Tomcat Manager) are not deployed. |
| CVE-2009-2902 | This vulnerability only applies to shared application hosting environments. The Tomcat component is used solely with the Cognos product, no other untrusted web applications are deployed. |
| CVE-2009-2901 | The autoDeploy feature of the Tomcat component is enabled, but Cognos users cannot create files in the Tomcat folder. |
| CVE-2009-2693 | Cognos users cannot create files on the Tomcat folder. |
| CVE-2009-0783 | This vulnerability only applies to shared application hosting environments. The Tomcat component is used solely with the Cognos product, no other untrusted web applications are deployed. |
| CVE-2009-0781 | All the sample programs normally deployed with the Tomcat component are removed from the Cognos product. |
| CVE-2009-0580 | The Tomcat remote management components (such as Tomcat Manager) are not deployed, and no Tomcat user accounts are stored in memory. |
| CVE-2009-0033 | The Tomcat component is configured to use the classic HTTP connector, and not the APR-AJP connector. |
| CVE-2008-5519 | The Tomcat component is configured to use the classic HTTP connector, and not the APR-AJP connector. |
| CVE-2008-5515 | Custom-made RequestDispatcher and PageContext classes are used in the Cognos product, making the Tomcat component immune to this vulnerability. |
| CVE-2008-2938 | The Tomcat component is configured without the “allowLinking” feature. |
| CVE-2008-2370 | Custom-made RequestDispatcher and PageContext classes are used in the Cognos product, making the Tomcat component immune to this vulnerability. |
| CVE-2008-1947 | The Tomcat remote management components (such as Tomcat Manager) are not deployed. |
| CVE-2008-1232 | The Cognos product does not generate HTTP error status message containing user controlled data. |
| CVE-2007-6286 | The Tomcat component is configured to use the classic HTTP connector, and not the APR connector. |
| CVE-2007-5461 | The Tomcat component is configured without the “WebDAV” feature. |
| CVE-2007-5342 | The Tomcat component is configured without the “JULI logging” feature. |
| CVE-2007-5333 | Cognos users cannot control the value of any cookies set by the Tomcat component. |
| CVE-2007-3386 | The Tomcat remote management components (such as Tomcat Manager) are not deployed. |
| CVE-2007-3385 | Cognos users cannot control the value of any cookies set by the Tomcat component. |
| CVE-2007-3382 | Cognos users cannot control the value of any cookies set by the Tomcat component. |
| CVE-2007-2450 | The Tomcat remote management components (such as Tomcat Manager) are not deployed. |
| CVE-2007-2449 | All the sample programs normally deployed with the Tomcat component are removed from the Cognos product. |
| CVE-2007-1860 | The Tomcat component is configured to use the classic HTTP connector, and not the APR-AJP connector. |
| CVE-2007-1355 | All the sample programs normally deployed with the Tomcat component are removed from the Cognos product. |
| CVE-2007-0450 | No proxy modules are used with the Tomcat component. |
[{"Product":{"code":"SSEP7J","label":"Cognos Business Intelligence"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"10.1.1;10.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21590073