Written by Heather L. Cole, December 16th, 2021
There is an identified Log4j security vulnerability that we believe exposes IBM Planning Analytics, Cognos Analytics, ILMT, SPSS Stat and Motio Users. This is not caused by IBM but by a widely used logging library. This issue has become a full-blown security meltdown, affecting digital systems across the internet. Hackers are already attempting to exploit it, but even as fixes emerge, researchers warn that the flaw could have serious repercussions worldwide.
The problem lies in Log4j, a ubiquitous, open-source Apache logging framework that developers use to keep a record of activity within an application. Security responders are scrambling to patch the bug, which can be easily exploited to take control of vulnerable systems remotely.
This vulnerability in Java (Log4j) is affecting hundreds of thousands of users of many products in use today including some IBM products. To be clear this is an issue affecting many software platforms that utilize Java, not just IBM. Among your IBM catalog of products that you are concerned about is IBM Cognos Analytics, Planning Analytics, ILMT, SPSS Stat and Motio.
IBM Security X force Red has been working nonstop to identify and provide guidance and fixes for affected products. Below is a list of links to fixes for each product.
Fixes and Patches for Log4j Vulnerability
Fixes and patches can be found at IBM Fix Central. Enter your product name, version and operating system and then select the fix needed for each product.
Cognos Analytics – Fixes available for 11.2.1, 11.1.7 and 11.0.13
Info - Security Bulletin: IBM Cognos Analytics: Apache log4j Vulnerability (CVE-2021-44228) - fixes are linked in this blog post.
Fix Central - IBM Support: Fix Central - Select fixes
Planning Analytics – Update Planning Analytics Workspace to the latest version released on Dec 14. PAW 2.0.71
Fix Central - IBM Support: Fix Central - Select fixes
Controller –
Fix Central – none yet.
SPSS Statistics - Security Bulletin: Log4Shell Vulnerability affects IBM SPSS Statistics (CVE-2021-44228
ILMT – update ILMT to 9.2.8
Info – CVE-2021-44228 and CVE-2021-4104 Log4j library vulnerabilities in License Metric Tool (ibm.com)
Fix Central - IBM Support: Fix Central - Identify fixes
Motio CI – upgrade to 3.2.10 FL8
Fix - Log in | Motio Customer Portal
SAAS Planning Analytics Customers - IBM has added the patches to their cloud SaaS Planning Analytics so you are all set!
More to Come...
There may be additional releases in the coming days and weeks for these products and others. Lodestar will continue to provide updates as this situation continues to develop and fixes become available.
If you are an active Lodestar Solutions client and were unable to attend our webinars on this issue you will find the recording in our Lodestar Solutions’ Client Only Portal. If you don’t have access to this library, email Services@lodestarsolutions.com and we will set you up.
Do You Need Help?
If you have a SOW in place with us, then email Mike to schedule help. If you don’t have an emergency SOW with us or are out of hours, again email Mike and he will send you a new SOW for signature. Remember, entering an SOW cost you nothing. We only bill for hours you use. services@lodestarsolutions.com
Lodestar Solutions has your back, call us with questions 813-415-2910.
What about client with CA version not listed, like CA 11.1.6?
Is there a fix ?
Hi,
As you can see by the updated link here. https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-apache-log4j-vulnerability-cve-2021-44228-3/
11.1.6 is affected as well. ALso, 11.1.6 is not the long term release for CA and will not be supported in the future. I would suggest upgrading to 11.1.7 at a min and applying the fix for log4j.