Blog

Still on TM1 10.2.X? – Urgent fix is a must

[fa icon="calendar"] February 4, 2019 / by Srinivas STP

Srinivas STP

You heard it right – Is your organisation still on TM1 10.2.X and haven’t upgraded to PA?

If yes, this is the blog for you as your existing TM1 application is prone to Multiple Security Vulnerabilities …

 

Blog tries to reflect upon the cause and effect of the issue/s, possible interim remediation plan/s and the foolproof solution.

 

Security Vulnerabilities

Customers who are still using the IBM Cognos TM1 10.2 and IBM Cognos TM1 10.2.2 are prone to unauthenticated attacks, excessive stack memory issues and other threats. Listed below are the security Vulnerabilities;

 

OpenSSL could allow a remote attacker to...

  • Obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. Attackers could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate.
  • Bypass security restrictions, caused by the failure to properly compare byte values by the PA-RISC CRYPTO_memcmp() function used on HP-UX PA-RISC targets. Attackers could exploit this vulnerability to forge messages, some of which may be authenticated.
  • Obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). Attackers with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.

 

Unspecified vulnerability with Java

  • Java SE I18n component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact.
  • Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
  • Java SE JGSS component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
  • Java SE JMX component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
  • Java SE Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
  • Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
  • Java SE JMX component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
  • Java SE Security component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
  • Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.           

 

Excessive stack memory Consumption

  • OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory   

 

Primary Cause

IBM Cognos TM1 which uses IBM Runtime Environment Java™ Version 7 has been found to have multiple vulnerabilities - disclosed as part of the IBM Java SDK updates during first half of this year.

For more information on this and the security vulnerabilities, Read IBM Security Bulletin.

 

Remediation/Fixes

 

You may also like reading “ What is IBM Planning Analytics Local ” , “IBM TM1 10.2 vs IBM Planning Analytics”, “Little known TM1 Feature - Ad hoc Consolidations”, “IBM PA Workspace Installation & Benefits for Windows 2016”.

For more Information: To check on your existing TM1 entitlements and understand how to mitigate risks & upgrade seamlessly on Planning Analytics, reach out to us at info@octanesolutions.com.au.

Octane Software Solutions Pty Ltd is an IBM Registered Business Partner specialising in Corporate Performance Management and Business Intelligence. We provide our clients advice on best practices and help scale up applications to optimise their return on investment. Our key services include Consulting, Delivery, Support and Training.

Octane has its head office in Sydney, Australia as well as offices in Canberra, Bangalore, Gurgaon, Mumbai, and Hyderabad.

To know more about us visit, OctaneSoftwareSolutions.

 

Topics: PlanningAnalytics, TM1, TM1 How To, Planning Analytics, IBM PA, Planning Analytics Workspace, PA and PAW, PA Workspace

Srinivas STP

Written by Srinivas STP

Srinivas is TM1 Consultant at Octane Software Solutions and has over 12 years’ experience in Data Warehousing, OLAP & Business Analytics dealing with Hyperion Suite, Cognos BI, ODI and OBIEE technologies. Srini has worked with Credit Suisse Bank, Deutche Bank, Citi Bank, Oracle financial services, McAfee and HCL Technologies before joining Octane.

Subscribe to Email Updates

Recent Posts