CVE-2025-0923
📋 TL;DR
IBM Cognos Analytics stores source code files on the web server that could be accessed by attackers. This vulnerability allows attackers to view sensitive source code that could reveal implementation details, potentially aiding in further attacks. Affects IBM Cognos Analytics versions 11.2.0-11.2.4 and 12.0.0-12.0.4.
💻 Affected Systems
- IBM Cognos Analytics
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain source code revealing authentication mechanisms, database connections, API keys, or other secrets, leading to complete system compromise through follow-up attacks.
Likely Case
Attackers gain insight into application architecture and logic, enabling targeted attacks like SQL injection, authentication bypass, or privilege escalation.
If Mitigated
Limited exposure with only non-sensitive code accessible, but still provides reconnaissance value to attackers.
🎯 Exploit Status
Exploitation requires web server access but no authentication. Attackers can browse to exposed source files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply security patches from IBM
Vendor Advisory: https://www.ibm.com/support/pages/node/7234674
Restart Required: Yes
Instructions:
1. Review IBM advisory 7234674. 2. Apply appropriate fix pack or interim fix. 3. Restart Cognos services. 4. Verify source files are no longer accessible.
🔧 Temporary Workarounds
Web Server Configuration Restriction
allConfigure web server to block access to source file extensions (.java, .jsp, .class, etc.)
# Apache: Add to .htaccess or httpd.conf
<FilesMatch "\.(java|jsp|class|properties)$">
Require all denied
</FilesMatch>
# IIS: Add to web.config
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".java" allowed="false" />
<add fileExtension=".jsp" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
Network Access Control
allRestrict access to Cognos web interface to trusted networks only
# Firewall rule example
# iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to Cognos servers
- Deploy web application firewall with rules blocking source file access
🔍 How to Verify
Check if Vulnerable:
Attempt to access known source file paths via browser or curl (e.g., /path/to/source.java). If accessible, system is vulnerable.Check Version:
# On Cognos server, check version in installation directory or via admin consoleVerify Fix Applied:
Verify source files are no longer accessible via web requests. Check that patch version is installed.📡 Detection & Monitoring
Log Indicators:
- HTTP requests for .java, .jsp, .class, .properties files
- Unusual file access patterns from external IPs
- 403 errors after implementing restrictions
Network Indicators:
- External requests to Cognos web interface for source files
- Traffic spikes from scanning tools
SIEM Query:
source="web_server_logs" AND (uri="*.java" OR uri="*.jsp" OR uri="*.class" OR uri="*.properties") AND src_ip NOT IN (trusted_networks)