Planning Analytics with Watson

 View Only
  • 1.  Log4j and PAL / TM1 DB - Time for an update?

    Posted 6 days ago
    Hi,

    The version of log4j that ships with the TM1DB is 1.2.17

    As shown at this location.

    ...\Program Files\ibm\cognos\tm1_64\bin\log4j-1.2.17.jar 

    Given the recent focus on this component, please can IBM make a statement on updating the version of log4j that ships with the DB?

    This is now triggering alerts with customers internal scanning and questions are being asked about this and more generally about the policy of keeping these components up to date.

    Version 1.2 was of end of lifed in Aug - 2015.....

    Many thanks,



    ------------------------------
    Steven Rowe
    Technical Director, InfoCat
    ------------------------------


  • 2.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted 6 days ago
    Edited by George Tonkin 6 days ago
    I would like to second this request as I have a client, with multiple installed servers across many countries, asking about updates to log4j throughout PA, wherever it is used i.e. TM1, TM1Web/Spreadsheet services etc. etc.

    They have had a risk raised and group IT are pushing to get a plan of action with timelines to remediate in place.

    I am sure that there are many other clients that will be looking to remediate soon. A roadmap would be great.

    TIA, George.

    ------------------------------
    George Tonkin
    ------------------------------



  • 3.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted 6 days ago
    Hello,

    I also created a support thicket about this with IBM in Dec 11, 2021, and asked for confirmation about other PA components, other than PAW, being affected or not by this log4j vulnerability. As per the response, I got the following response in Dec 22, 2021

    "Within IBM Planning Analytics 2.0, only the IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by security vulnerabilities."

    which is also mentioned in https://www.ibm.com/support/pages/node/6528790. 

    But in this case, I think it still needs to be clarified where this file "...\Program Files\ibm\cognos\tm1_64\bin\log4j-1.2.17.jar " being used? In which PA component?

    Regards,
    Mucahit

    ------------------------------
    Mucahit Erdal
    ------------------------------



  • 4.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted 4 days ago
    The TM1 Server itself does not use log4j and is not impacted by any of the current known log4j vulnerabilities.   

    Log4j v1 is used in other components (TM1 Applications for example) that are part of the current Planning Analytics installation (Planning Analytics 2.0.9.11 and lower).  The Planning Analytics team intends to update these other components to a current version of log4j in the next possible maintenance release.  As new Planning Analytics releases become available we will confirm which CVEs are addressed in the release through our regular product notifications.  An example of this sort of notification (for PAW 2.0.72) can be found here: https://www.ibm.com/support/pages/node/6528790

    You can sign up for product notifications here:  https://www.ibm.com/support/pages/stay-date-my-notifications.

    ------------------------------
    Stuart King
    IBM Planning Analytics Offering Manager
    ------------------------------



  • 5.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted 4 days ago
    FYI: https://www.ibm.com/support/pages/stay-date-my-notifications <--- does not work.

    ------------------------------
    Michael Burch
    ------------------------------



  • 6.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted 4 days ago
    Edited by George Tonkin 4 days ago
    Stuart's link works fine for me, without the period on the end - your link seems to work Michael.

    ------------------------------
    George Tonkin
    ------------------------------



  • 7.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted 3 days ago
    Make sure the link
    https://www.ibm.com/support/pages/stay-date-my-notifications
    and not this
    https://www.ibm.com/support/pages/stay-date-my-notifications.

    A dot is on the end which invalidates the link, without the dot the link is fine

    ------------------------------
    Simon Saul
    ------------------------------



  • 8.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted 3 days ago
    Wait... In my understanding log4j is the main logger for all tm1 server logging  (tm1server.log, audit logs and any other logs that can be generated by tweaking the TM1s-log.properties).

    It is an older version and as such is not supposed to be concerned by the security issue experienced by other components but many of our clients have asked if it was ever going to be upgraded...

    Regards, 


    ------------------------------
    Laurent Henssien
    C L A R I T Y
    https://www.clarity.consulting
    ------------------------------



  • 9.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted 3 days ago
    Hi Laurent,

    I think many of us have the drawn the same conclusion. TM1s-log.properties contains lines referring to Log4J, so do other files.
    I did reach out to IBM to ask about this and was told that the TM1 server uses Log4C which has not had any issues reported yet.

    It would be good to have this officially stated to use as a reference for clients' IT departments to reference.

    HTH,

    ------------------------------
    George Tonkin
    ------------------------------



  • 10.  RE: Log4j and PAL / TM1 DB - Time for an update?

    Posted 3 days ago
    Thanks George, in light of Stuart's answer that would make sense, with all the references in the properties file I really thought it was using log4J 👍

    Well if we get a definitive answer from IBM we'll be able to reassure our clients on the non-vulnerability.


    ------------------------------
    Laurent Henssien
    C L A R I T Y
    https://www.clarity.consulting
    ------------------------------