CVE-2024-49352
📋 TL;DR
IBM Cognos Analytics is vulnerable to XML External Entity Injection (XXE), allowing attackers to read sensitive files from the server or cause denial of service through memory consumption. This affects all users running vulnerable versions of IBM Cognos Analytics 11.2.0-11.2.4 and 12.0.0-12.0.4.
💻 Affected Systems
- IBM Cognos Analytics
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through sensitive file disclosure (including configuration files, credentials, or system files) leading to data breach and potential lateral movement.
Likely Case
Information disclosure of server-side files and potential denial of service through resource exhaustion.
If Mitigated
Limited impact with proper network segmentation and XML parsing restrictions in place.
🎯 Exploit Status
Exploitation requires crafting malicious XML payloads but does not require authentication to the Cognos system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply security patches from IBM - specific version depends on your current installation
Vendor Advisory: https://www.ibm.com/support/pages/node/7181480
Restart Required: Yes
Instructions:
1. Review IBM advisory at provided URL. 2. Download appropriate fix pack for your version. 3. Apply fix following IBM installation procedures. 4. Restart Cognos services.
🔧 Temporary Workarounds
Disable XXE processing
allConfigure XML parsers to disable external entity processing
Configure XML parser settings to set features: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true
Input validation
allImplement strict input validation for XML data
Implement XML schema validation and reject XML containing DOCTYPE declarations
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Cognos servers
- Deploy web application firewall with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Check Cognos version via administration console or version files in installation directoryCheck Version:
Check <cognos_install>/c10/version.txt or administration consoleVerify Fix Applied:
Verify patch installation through Cognos administration console and test XXE payloads are rejected📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- Large XML payloads in requests
- Requests containing DOCTYPE declarations
Network Indicators:
- XML payloads with external entity references
- Outbound connections to unexpected URLs from Cognos server
SIEM Query:
source="cognos.log" AND ("DOCTYPE" OR "ENTITY" OR "SYSTEM")