You heard it right – Is your organisation still on TM1 10.2.X and haven’t upgraded to PA?
If yes, this is the blog for you as your existing TM1 application is prone to Multiple Security Vulnerabilities …
Blog tries to reflect upon the cause and effect of the issue/s, possible interim remediation plan/s and the foolproof solution.
Security Vulnerabilities
Customers who are still using the IBM Cognos TM1 10.2 and IBM Cognos TM1 10.2.2 are prone to unauthenticated attacks, excessive stack memory issues and other threats. Listed below are the security Vulnerabilities;
OpenSSL could allow a remote attacker to...
- Obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. Attackers could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate.
- Bypass security restrictions, caused by the failure to properly compare byte values by the PA-RISC CRYPTO_memcmp() function used on HP-UX PA-RISC targets. Attackers could exploit this vulnerability to forge messages, some of which may be authenticated.
- Obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). Attackers with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.
Unspecified vulnerability with Java
- Java SE I18n component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact.
- Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
- Java SE JGSS component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
- Java SE JMX component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
- Java SE Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
- Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
- Java SE JMX component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
- Java SE Security component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.
- Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
Excessive stack memory Consumption
- OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory
Primary Cause
IBM Cognos TM1 which uses IBM Runtime Environment Java™ Version 7 has been found to have multiple vulnerabilities - disclosed as part of the IBM Java SDK updates during first half of this year.
For more information on this and the security vulnerabilities, Read IBM Security Bulletin.
Remediation/Fixes
You may also like reading “ What is IBM Planning Analytics Local ” , “IBM TM1 10.2 vs IBM Planning Analytics”, “Little known TM1 Feature - Ad hoc Consolidations”, “IBM PA Workspace Installation & Benefits for Windows 2016”.
For more Information: To check on your existing TM1 entitlements and understand how to mitigate risks & upgrade seamlessly on Planning Analytics, reach out to us at info@octanesolutions.com.au.
Octane Software Solutions Pty Ltd is an IBM Registered Business Partner specialising in Corporate Performance Management and Business Intelligence. We provide our clients advice on best practices and help scale up applications to optimise their return on investment. Our key services include Consulting, Delivery, Support and Training.
Octane has its head office in Sydney, Australia as well as offices in Canberra, Bangalore, Gurgaon, Mumbai, and Hyderabad.
To know more about us visit, OctaneSoftwareSolutions.