As you probably are aware the Log4j vulnerability was exposed last week. IBM have just released a new version of Planning Analytics Workspace and a set of fixes for Cognos Analytics that addresses this vulnerability.
Planning Analytics Workspace
Versions of Planning Analytics Workspace Impacted by Log4j
the Log4j vulnerability impacts versions of Planning Analytics Workspace since version 2.0.57. Therefore, if you have applied a new version of PAW in the last year and a bit, then you are affected.
Where to get an Updated version of PAW
Please head over to IBM’s Fix Central here and download PAW version 2.0.71 (or later), which contains the fix.
If you need instructions how to install the PAW upgrade to address Log4J, please see this post.
How Urgent is the Upgrade for Planning Analytics Workspace?
If your PAW server is exposed to the internet, then our take on it is that you should schedule the upgrade urgently. If it is behind a corporate firewall and not available to the internet, then you should do the upgrade as soon as possible.
Synchronisation with Other PA Tools
Please also note that if you are upgrading PAW more than a couple of versions, you will need to upgrade TM1 (PA) Server, Planning Analytics for Excel and Planning Analytics Spreadsheet Services. The upgrades for all of these are available also at Fix Central. Instructions for installing each are linked to the product in the provious sentence.
Cognos Analytics
Versions of Cognos Analytics Impacted by Log4j
All versions of Cognos Analytics that use Apache’s Log4j for logging are impacted. This includes all version 11 products, so version 11.0, version 11.1 and the newly released version 11.2.
With regards to Cognos 10, IBM have advised that “Cognos BI 10.2.x does not use log4j v2, only log4j v1. Therefore it is NOT impacted by CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832”.
Where to get Updated version of Cognos Analytics
You have two choices for applying a fix to your Cognos Analytics servers:
- Download and apply a full Fix Pack for your version of Cognos, be it version 11.0, 11,1 or 11.2.
- Download a small Interim Fix and make some minor modifications to some files in your Cognos installation.
Please go to IBM’s Fix Central and download ht appropriate package:
- For the full fix pack, go here and choose the OS of your environment. It will be a download of between 5 and 7Gb.
- For the Interim Fix, go here and download the package. It will apply to all versions of Cognos Analytics, i.e. 11.0, 11.1 and 11.2. In this package you will find a PDF which explains what you need to do. You can also find the PDF here. We have deliberately not attached the fix pack in case it is changed by IBM.
How Urgent is the Upgrade for Cognos Analytics?
Like our answer above for PAW, if your CA server is exposed to the internet, then we believe that it is vital that you apply the fix as soon as possible. If the server is not exposed to the internet, then it should still be updated, but is not as urgent.
What is Log4j?
The Log4j vulnerability is a method that attackers can hack systems that use Apache Log4j for logging.
Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
