Planning Analytics

 View Only
Expand all | Collapse all

Log4j and PAL / TM1 DB - Time for an update?

  • 1.  Log4j and PAL / TM1 DB - Time for an update?

    Posted Tue January 11, 2022 08:48 AM
    Hi,

    The version of log4j that ships with the TM1DB is 1.2.17

    As shown at this location.

    ...\Program Files\ibm\cognos\tm1_64\bin\log4j-1.2.17.jar 

    Given the recent focus on this component, please can IBM make a statement on updating the version of log4j that ships with the DB?

    This is now triggering alerts with customers internal scanning and questions are being asked about this and more generally about the policy of keeping these components up to date.

    Version 1.2 was of end of lifed in Aug - 2015.....

    Many thanks,



    ------------------------------
    Steven Rowe
    Technical Director, InfoCat
    ------------------------------

    #PlanningAnalyticswithWatson


  • 2.  RE: Log4j and PAL / TM1 DB - Time for an update?

    IBM Champion
    Posted Tue January 11, 2022 09:01 AM
    Edited by System Fri January 20, 2023 04:37 PM
    I would like to second this request as I have a client, with multiple installed servers across many countries, asking about updates to log4j throughout PA, wherever it is used i.e. TM1, TM1Web/Spreadsheet services etc. etc.

    They have had a risk raised and group IT are pushing to get a plan of action with timelines to remediate in place.

    I am sure that there are many other clients that will be looking to remediate soon. A roadmap would be great.

    TIA, George.

    ------------------------------
    George Tonkin
    ------------------------------



  • 3.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted Wed January 12, 2022 03:19 AM
    Hello,

    I also created a support thicket about this with IBM in Dec 11, 2021, and asked for confirmation about other PA components, other than PAW, being affected or not by this log4j vulnerability. As per the response, I got the following response in Dec 22, 2021

    "Within IBM Planning Analytics 2.0, only the IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by security vulnerabilities."

    which is also mentioned in https://www.ibm.com/support/pages/node/6528790. 

    But in this case, I think it still needs to be clarified where this file "...\Program Files\ibm\cognos\tm1_64\bin\log4j-1.2.17.jar " being used? In which PA component?

    Regards,
    Mucahit

    ------------------------------
    Mucahit Erdal
    ------------------------------



  • 4.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted Thu January 13, 2022 08:25 AM
    The TM1 Server itself does not use log4j and is not impacted by any of the current known log4j vulnerabilities.   

    Log4j v1 is used in other components (TM1 Applications for example) that are part of the current Planning Analytics installation (Planning Analytics 2.0.9.11 and lower).  The Planning Analytics team intends to update these other components to a current version of log4j in the next possible maintenance release.  As new Planning Analytics releases become available we will confirm which CVEs are addressed in the release through our regular product notifications.  An example of this sort of notification (for PAW 2.0.72) can be found here: https://www.ibm.com/support/pages/node/6528790

    You can sign up for product notifications here:  https://www.ibm.com/support/pages/stay-date-my-notifications.

    ------------------------------
    Stuart King
    IBM Planning Analytics Offering Manager
    ------------------------------



  • 5.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted Thu January 13, 2022 10:54 AM
    FYI: https://www.ibm.com/support/pages/stay-date-my-notifications <--- does not work.

    ------------------------------
    Michael Burch
    ------------------------------



  • 6.  RE: Log4j and PAL / TM1 DB - Time for an update?

    IBM Champion
    Posted Fri January 14, 2022 01:17 AM
    Edited by System Fri January 20, 2023 04:34 PM
    Stuart's link works fine for me, without the period on the end - your link seems to work Michael.

    ------------------------------
    George Tonkin
    ------------------------------



  • 7.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted Fri January 14, 2022 05:21 AM
    Make sure the link
    https://www.ibm.com/support/pages/stay-date-my-notifications
    and not this
    https://www.ibm.com/support/pages/stay-date-my-notifications.

    A dot is on the end which invalidates the link, without the dot the link is fine

    ------------------------------
    Simon Saul
    ------------------------------



  • 8.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted Sat January 15, 2022 01:55 AM
    Wait... In my understanding log4j is the main logger for all tm1 server logging  (tm1server.log, audit logs and any other logs that can be generated by tweaking the TM1s-log.properties).

    It is an older version and as such is not supposed to be concerned by the security issue experienced by other components but many of our clients have asked if it was ever going to be upgraded...

    Regards, 


    ------------------------------
    Laurent Henssien
    C L A R I T Y
    https://www.clarity.consulting
    ------------------------------



  • 9.  RE: Log4j and PAL / TM1 DB - Time for an update?

    IBM Champion
    Posted Sat January 15, 2022 02:57 AM
    Hi Laurent,

    I think many of us have the drawn the same conclusion. TM1s-log.properties contains lines referring to Log4J, so do other files.
    I did reach out to IBM to ask about this and was told that the TM1 server uses Log4C which has not had any issues reported yet.

    It would be good to have this officially stated to use as a reference for clients' IT departments to reference.

    HTH,

    ------------------------------
    George Tonkin
    ------------------------------



  • 10.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted Sat January 15, 2022 03:26 AM
    Thanks George, in light of Stuart's answer that would make sense, with all the references in the properties file I really thought it was using log4J 👍

    Well if we get a definitive answer from IBM we'll be able to reassure our clients on the non-vulnerability.


    ------------------------------
    Laurent Henssien
    C L A R I T Y
    https://www.clarity.consulting
    ------------------------------



  • 11.  RE: Log4j and PAL / TM1 DB - Time for an update?

    IBM Champion
    Posted Tue January 18, 2022 06:55 AM
    Hi Stuart,

    Is there a link you could share to the future version release timelines and expected dates for remediation of Log4J related issues?
    Not seeing anything on the roadmap relating to Log4J.

    Thank you,
    George

    ------------------------------
    George Tonkin
    ------------------------------



  • 12.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted Tue January 18, 2022 11:46 PM
    Hi Stuart,

    I've passed these words onto clients, however they still require the file to be removed as they are scanning it as a vulnerability. Can we remove the file log4j-1.2.17.jar from the following locations without any issues since it isn't being used:


    #PlanningAnalyticswithWatson


  • 13.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted Wed January 19, 2022 04:48 PM
    Something went wrong there.

    Can we remove log4j-1.2.17.jar from these folders:

    <ibmroot>\cognos\tm1web\webapps\tm1web\WEB-INF\lib
    <ibmroot>\cognos\tm1_64\paa_agent\wlp\usr\servers\kate-agent\apps\expanded\PA_KATE_AGENT.war\WEB-INF\lib
    <ibmroot>\cognos\tm1_64\webapps\p2pd\WEB-INF\lib
    <ibmroot>\cognos\tm1_64\webapps\tm1web\WEB-INF\lib

    ------------------------------
    Malcolm MacDonnell
    ------------------------------