The IBM Cognos Analytics Certified Containers 12.1.0 software is a PostgreSQL JDBC Driver that allows Java programs to connect to a PostgreSQL database using standard, database-independent Java code. The PGJDBC implementation of the java.sql.ResultRow.refreshRow() method is not performing escaping of column names, which can lead to SQL injection and potentially executing additional SQL commands as the application's JDBC user.
IBM Cognos Analytics Certified Containers 12.1.0
Check with: No automated detection in major tools (OSV, Nuclei, Sigma, Snort/Suricata, YARA, Semgrep)
Note: This is a specific version of the PostgreSQL JDBC Driver, and if you're using a different version or a similar product, you might not be affected. If you don't recognize the name "IBM Cognos Analytics Certified Containers", you're probably not affected.
Upgrade to version 4.5.0: https://www.ibm.com/support/pages/node/7250395
Immediate mitigations:
- Restrict network access to your IBM Cognos Analytics Certified Containers instance (firewall it from the public internet)
- Audit admin account activity for suspicious access patterns
- Monitor for unauthorized token creation