<img src="https://trc.taboola.com/1278851/log/3/unip?en=page_view" width="0" height="0" style="display:none">
finding octane
Content_Cut_Icon Twitter_Brands_Icon

Still on TM1 10.2.X? – Urgent fix is a must

Mode_Comment_Icon_white0
Calendar_Regular_Icon_1_whiteFebruary 4, 2019
Alarm_Icon_1_white6 min

You heard it right – Is your organisation still on TM1 10.2.X and haven’t upgraded to PA? If yes, this is the blog for you as your existing TM1 application is prone to Multiple Security Vulnerabilities … Blog tries to reflect upon the cause and effect of the issue/s, possible interim remediation plan/s and the foolproof solution. Security Vulnerabilities Customers who are still using the IBM ...

down-arrow-blue
Book_Open_Solid_Icon

You heard it right – Is your organisation still on TM1 10.2.X and haven’t upgraded to PA?

If yes, this is the blog for you as your existing TM1 application is prone to Multiple Security Vulnerabilities …

 

Blog tries to reflect upon the cause and effect of the issue/s, possible interim remediation plan/s and the foolproof solution.

 

Security Vulnerabilities

Customers who are still using the IBM Cognos TM1 10.2 and IBM Cognos TM1 10.2.2 are prone to unauthenticated attacks, excessive stack memory issues and other threats. Listed below are the security Vulnerabilities;

 

OpenSSL could allow a remote attacker to...

  • Obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. Attackers could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate.
  • Bypass security restrictions, caused by the failure to properly compare byte values by the PA-RISC CRYPTO_memcmp() function used on HP-UX PA-RISC targets. Attackers could exploit this vulnerability to forge messages, some of which may be authenticated.
  • Obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). Attackers with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.

 

Unspecified vulnerability with Java

  • Java SE I18n component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact.
  • Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
  • Java SE JGSS component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
  • Java SE JMX component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
  • Java SE Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
  • Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
  • Java SE JMX component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
  • Java SE Security component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
  • Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.           

 

Excessive stack memory Consumption

  • OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory   

 

Primary Cause

IBM Cognos TM1 which uses IBM Runtime Environment Java™ Version 7 has been found to have multiple vulnerabilities - disclosed as part of the IBM Java SDK updates during first half of this year.

For more information on this and the security vulnerabilities, Read IBM Security Bulletin.

 

Remediation/Fixes

 

You may also like reading “ What is IBM Planning Analytics Local ” , “IBM TM1 10.2 vs IBM Planning Analytics”, “Little known TM1 Feature - Ad hoc Consolidations”, “IBM PA Workspace Installation & Benefits for Windows 2016”.

For more Information: To check on your existing TM1 entitlements and understand how to mitigate risks & upgrade seamlessly on Planning Analytics, reach out to us at info@octanesolutions.com.au.

Octane Software Solutions Pty Ltd is an IBM Registered Business Partner specialising in Corporate Performance Management and Business Intelligence. We provide our clients advice on best practices and help scale up applications to optimise their return on investment. Our key services include Consulting, Delivery, Support and Training.

Octane has its head office in Sydney, Australia as well as offices in Canberra, Bangalore, Gurgaon, Mumbai, and Hyderabad.

To know more about us visit, OctaneSoftwareSolutions.

 

Leave a comment
Srinivas STP
Srinivas STP

Got a question? Shoot!

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Get more articles like this delivered to your inbox
footer-img-1

For the best TM1 people in the world, CFOs talk to Octane. Octane support Fortune 500 companies and are subject-matter experts in IBM TM1 Planning Analytics and other financial software. Octane is an IBM gold partner and an IBM Champion 2021. For five consecutive years, Octane has achieved less than one percent customer attrition.