The ETA for the next Planning Analytics Workspace release (2.0.73) is mid February. As always, this is just an estimate and is subject to change.
Original Message:
Sent: Wed January 19, 2022 09:25 AM
From: AJAY CHANDHOK
Subject: Log4j exploit and security alert
Thank you for confirming Stuart.
Do we have an estimated date for PAW 2.0.73 availability on Fix Central at this stage ?
Ajay
------------------------------
AJAY CHANDHOK
Original Message:
Sent: Wed January 19, 2022 08:15 AM
From: STUART KING
Subject: Log4j exploit and security alert
I can confirm the Planning Analytics Workspace 2.0.72 release uses log4j 2.17.0. The next release (2.0.73) will update to log4j 2.17.1.
The Planning Analytics team is paying close attention to the situation with log4j vulnerabilities.
------------------------------
Stuart King
IBM Planning Analytics Offering Manager
Original Message:
Sent: Wed January 19, 2022 04:11 AM
From: AJAY CHANDHOK
Subject: Log4j exploit and security alert
Hi All
I have raised the ticket this morning with IBM, response below:
"You are right, CVE-2021-44832 is not connected with previous Log4j vulnerability and fix for it was not included in PAW 72. CVE-2021-44832 is already reported and development team is assessing the impact on the Planning Analytics. Once they finish the assessment, corresponding bulletin will be posted via PSIRT portal.
https://www.ibm.com/trust/security-psirt
https://www.ibm.com/blogs/psirt/
APAR number:
PH43238 PLANNING ANALYTICS VULNERABILITY ASSESSMENT CVE-2021-44832
Once the fix is ready I will let you know within this case too."
Anyone about to upgrade may want to keep an eye out on Fix Central and the links above for updates
Ajay
------------------------------
AJAY CHANDHOK
Original Message:
Sent: Tue January 18, 2022 04:19 PM
From: AJAY CHANDHOK
Subject: Log4j exploit and security alert
Sorry to bring this back to the fore, but we've upgraded our entire suite of PA components to latest release and have just seen that Apache have documented a new log4j 2.17.1, right at the end of December:
Apache 2.17.1
This doesn't look like it's in the latest PAW 2.0.72 which is covering log4j 2.17
Can someone confirm this is the case please and if so, is there an imminent PAW release about to the added to Fix Central for download ?
Cheers
Ajay
------------------------------
AJAY CHANDHOK
Original Message:
Sent: Tue December 21, 2021 09:40 AM
From: Walter Coffen
Subject: Log4j exploit and security alert
PAW 2.0.72 was put on Fix Central last night. Looks like log4j 2.17 released by the Apache foundation 12/18/2021 was incorporated. I verified 2.17 in the Linux install of PAW 2.0.72 I just did.
Security Bulletin
------------------------------
Walter Coffen
Technology Manager
QueBIT Consulting, LLC
Original Message:
Sent: Fri December 17, 2021 03:44 PM
From: Walter Coffen
Subject: Log4j exploit and security alert
I just noticed this here:
Update December 17, 2:20 pm
IBM is focused on moving to Log4j Version 2.15 as quickly as possible for all applications impacted by CVE-2021-44228. Work also is underway to move to Log4j Version 2.16, for all impacted applications, but our priority right now is to move to at least Version 2.15.
With so much active industry research on Log4j, we will continually see mitigation and remediation recommendations. We continue to review the latest information and share updates accordingly.
------------------------------
Walter Coffen
Technology Manager
QueBIT Consulting, LLC
Original Message:
Sent: Fri December 17, 2021 10:28 AM
From: George Tonkin
Subject: Log4j exploit and security alert
HI Dean,
Have a look at Soufiane's comment here.
"Christoph, George, the current assessment of the Apache log4j Vulnerability (CVE-2021-44228) for all of Planning Analytics shows that only PAW is affected. Hence, as stated in the bulletin, the remediation for all of PA is to upgrade PAW to V2.0.71"
------------------------------
George Tonkin
Original Message:
Sent: Fri December 17, 2021 10:18 AM
From: Dean Watts
Subject: Log4j exploit and security alert
There has been much attention made on this issue as regards PAW however I am still unclear on the impact/remedy as regards TM1Web. Any further insights?
------------------------------
Dean Watts
Original Message:
Sent: Thu December 16, 2021 04:08 AM
From: AJAY CHANDHOK
Subject: Log4j exploit and security alert
Adding to the thread........I opened some tickets on this yesterday
We've now got the advice that we need to upgrade PAW to 2.0.71, but I raised the first ticket around the conformance of the other components in the PA suite which we need to move to if moving to PAW 2.0.71
We are using PA 2.0.9.9, so should be OK there, but since our PASS and PAfE are both 2.0.64 we'll have to move up to 2.0.69 if we are to maintain the conformance of N-2
Has anyone run PAW release significantly higher than their other components ?
The second ticket was raised around our Cognos Analytics release 11.1.6 IF002, which overnight I have confirmed will now need to be upgraded to 11.1.7 and detailed:
https://www.ibm.com/support/pages/node/6526474
The document does state "IBM is developing a "non-upgrade" option for "On Prem" customers that will patch the system and allow customers to remain on their current applicable version. This option will be announced and available shortly.".................which for us would be the preferred solution
------------------------------
AJAY CHANDHOK
Original Message:
Sent: Wed December 15, 2021 11:08 AM
From: George Tonkin
Subject: Log4j exploit and security alert
Soufiane has commented that
"PAW uses log4j in its default configuration. Hence, the fixes in log4j 2.16 are not needed, based on our current assessment. Nonetheless, we plan to upgrade log4j to the latest version in future releases of PAW."
Thanks for this reassurance again @Soufiane Azizi
------------------------------
George Tonkin
Original Message:
Sent: Wed December 15, 2021 10:36 AM
From: Steven Rowe
Subject: Log4j exploit and security alert
So...what's the consensus, is PAW 71 ready as a patch for the issue or not? Appreciate this isn't IBMs issue that the initial Apache patch wasn't complete but it would be good to get some sensible statements around the level of risk here.
From what I understand.
1. If PAW is behind company firewalls, this mitigates the risk, although you could have a bad actor within your organisation.
2. AFAIK there is no way for end users to write to the logs, (assuming no hacks of PAW itself). If users can't write to the logs then the risk is zero. There's some big assumptions here though as I don't really know what the log4j is used for in PAW. Is just "error logs" to text files?
I guess the only sensible option is patch, given no statements about the level of risk involved for the specific product.
We'd already started pushing 71 to customers.
Also note that this page states that Planning Analytics is not impacted which is pretty ambiguos / misleading....
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
------------------------------
Steven Rowe
Original Message:
Sent: Wed December 15, 2021 09:06 AM
From: Kasper Dueholm
Subject: Log4j exploit and security alert
Hi.
Looks like PAW R71 comes with Log4j 2.15.0 which also has problems.... Not sure if this causes issues for PAW(?)
Log4j 2.16.0 has already been released:
**************
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
**************
Source: Log4j – Apache Log4j 2
/Kasper
------------------------------
Kasper Dueholm
Original Message:
Sent: Wed December 15, 2021 08:57 AM
From: Brian Simpson
Subject: Log4j exploit and security alert
In case anyone didn't get the email or see the previous post about the fix...
#PlanningAnalyticswithWatson