CVE-2021-29745 – CVE-2021-29745 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2021-29745?

CVE-2021-29745 has a CVSS score of 8.8 (HIGH). CVE-2021-29745 is a privilege escalation vulnerability in IBM Cognos Analytics where lower-level users can access the 'New Job' page, which should be restricted to higher-privileged users. This allows unauthorized job creation and potential system manipulation. Affected systems include IBM Cognos Analytics versions 11.1.7 and 11.2.0.

📋 TL;DR

CVE-2021-29745 is a privilege escalation vulnerability in IBM Cognos Analytics where lower-level users can access the 'New Job' page, which should be restricted to higher-privileged users. This allows unauthorized job creation and potential system manipulation. Affected systems include IBM Cognos Analytics versions 11.1.7 and 11.2.0.

💻 Affected Systems

Products:

IBM Cognos Analytics

Versions: 11.1.7 and 11.2.0

Operating Systems: All supported OS for IBM Cognos Analytics

Default Config Vulnerable: ⚠️ Yes

Notes: This affects default installations where role-based access controls are improperly enforced on the 'New Job' page.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with low privileges could create malicious jobs to execute arbitrary code, compromise the Cognos Analytics server, or access sensitive data across the organization.

🟠

Likely Case

Unauthorized users create jobs that disrupt business operations, modify reports, or access data beyond their permissions, leading to data integrity issues.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to minor unauthorized job creation that can be quickly detected and rolled back.

🌐 Internet-Facing: MEDIUM - If the Cognos Analytics instance is exposed to the internet, attackers could exploit this after gaining initial low-privilege access, but it requires authentication.

🏢 Internal Only: HIGH - In internal networks, malicious insiders or compromised accounts can easily exploit this to escalate privileges and cause significant damage.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access as a low-privilege user, making it straightforward for insiders or attackers with stolen credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fixes as per IBM Security Bulletin: IBM Cognos Analytics 11.1.7 Fix Pack 4 (11.1.7.4) or later, and 11.2.0 Fix Pack 2 (11.2.0.2) or later.

Vendor Advisory: https://www.ibm.com/support/pages/node/6491661

Restart Required: Yes

Instructions:

1. Download the appropriate fix pack from IBM Fix Central. 2. Backup your Cognos Analytics environment. 3. Apply the fix pack following IBM's installation guide. 4. Restart the Cognos Analytics services. 5. Verify the patch by checking version and testing access controls.

🔧 Temporary Workarounds

Restrict Access via Role Configuration

all

Manually review and tighten role-based access controls in Cognos Analytics to ensure only authorized users can access the 'New Job' page.

Navigate to Cognos Administration > Security > Capabilities and Roles, and adjust permissions for 'Schedule Management' and related job functions.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Cognos Analytics servers from critical systems.
Enhance monitoring and alerting for unauthorized job creation activities in Cognos logs.

🔍 How to Verify

Check if Vulnerable:

Log in as a low-privilege user and attempt to access the 'New Job' page in Cognos Analytics. If accessible, the system is vulnerable.

Check Version:

In Cognos Analytics, go to Help > About to check the version. Alternatively, use IBM's version check tools or query the installation directory.

Verify Fix Applied:

After patching, repeat the access test with low-privilege users; the 'New Job' page should be inaccessible or properly restricted.

📡 Detection & Monitoring

Log Indicators:

Log entries showing unauthorized access attempts to job creation pages, or unexpected job creation events by low-privilege users in Cognos audit logs.

Network Indicators:

Unusual spikes in HTTP requests to Cognos job-related endpoints from internal IPs.

SIEM Query:

Example: source="cognos_logs" AND (event="job_creation" OR url_path="/new_job") AND user_role="low_privilege"

📊 Metadata

CVE ID: CVE-2021-29745

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: October 15, 2021

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/201695 VDB Entry,Vendor Advisory
https://security.netapp.com/advisory/ntap-20211112-0005/ Third Party Advisory
https://www.ibm.com/support/pages/node/6491661 Patch,Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/201695 VDB Entry,Vendor Advisory
https://security.netapp.com/advisory/ntap-20211112-0005/ Third Party Advisory
https://www.ibm.com/support/pages/node/6491661 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON