A third party ActiveX control (EdrawSoft) may have been registered in the Windows registry by the CDM client installation process. This ActiveX control contains a security vulnerability that could allow unauthorized file access to the user’s machine from malicious web sites.
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for these issues are:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82345 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
The EdrawSoft ActiveX control is marked as “safe for scripting”, meaning that once installed on a client machine, it can be controlled from web pages. Users that visit malicious web sites on the Internet can have their local files uploaded to these websites or binary files forcefully downloaded onto their machines. Newly downloaded binary files can also be executed from the malicious web page.
IBM Cognos Disclosure Management 10.2.0
The registration of the ActixeX control should be removed from the Windows registry to prevent any security vulnerabilities. This will not affect how the ActiveX control works within the CDM product; it will just remove access from outside the application.
The following registry keys should be removed if they exist:
It is recommended that the registry keys are backed up prior to making any changes.
Please refer to the instructions below for backing up and deleting a registry key:
- Log in to the machine as a local administrator.
- Open the registry editor (regedit at command line).
- Locate and click on the key that is to be removed.
- Click on the File menu and select 'Export'.
- In the Save In box, please select the location to save the file to and an appropriate file name. Click save.
- Delete the key by right clicking on the key and selecting 'Delete'.
- To restore a key, double click on the saved .reg file.
This issue has been corrected in an update from EdrawSoft and will be included in future releases of CDM.
For more assistance, please contact IBM Support.
Get Notified about Future Security Bulletins
5 April 2013: Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.