CVE-2025-36326
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| IBM | Cognos Controller | 11.0.0 <= 11.0.1 | affected |
| IBM | Controller | 11.1.0 <= 11.1.1 | affected |
Weaknesses
- CWE-321: CWE-321 Use of Hard-coded Cryptographic Key
Workarounds
Download the script from here: Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes
It is strongly recommended that you apply the most recent security updates:
Affected Product(s)Version(s)Interim FixIBM Controller11.1.0 - 11.1.1 Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes IBM Cognos Controller11.0.0 - 11.0.1 Fix Central https://www.ibm.com/support/fixcentral/swg/selectFixes
Prerequisites
Ensure you are logged in to the server with System Administrator privileges.
Create a backup of the server.js file located in the product installation path (e.g., C:\ccr_64\frontend) before proceeding. Procedure
Navigate to the directory containing server.js in the product installation path (e.g., C:\ccr_64\frontend).
Copy the script file ControllerWebUIService_11_X_Patch.ps1 into this directory.
Right-click on the ControllerWebUIService_11_X_Patch.ps1 script and select Run with PowerShell to execute it.
After execution, verify that a new System Environment Variable named session_passphrase has been created and assigned a random value.
Confirm that all SSL configuration steps have already been completed if you have enabled SSL.
Restart the IBM Controller Web UI service. Notes
This script is intended for one-time use only. Do not re-run the script.
If any errors occur during execution of the ControllerWebUIService_11_X_Patch.ps1 script, you may run the rollback script ControllerWebUIService_11_X_Patch_Rollback.ps1 or replace server.js with the backed-up file.
Do not delete the session_passphrase environment variable.
After each Fix Pack (FP) upgrade, re-execute the patch script only if the session_passphrase is missing from the server.js file.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.