Updated December 21, 2021

Summary

Multiple vulnerabilities have been discovered involving Apache Log4j. This was originally known as CVE-2021-44228, but it has been expanded to also include both CVE-2021-45046 and CVE-2021-45105. Apache Log4j is used by IBM Planning Analytics Workspace as part of its logging infrastructure. This may have a significant impact on your existing models.

Details

This issue impacts all users currently on IBM Planning Analytics Workspace 2.0.57 and higher. IBM released a fix via PAW release 72. The updated PAW version includes Apache version 2.17, which covers all three CVEs. More information can be found directly on IBM’s site via the following link:

• https://www.ibm.com/support/pages/node/6528790?myns=swgother&mynp=OCSSCTEW&mync=E&cm_sp=swgother-_-OCSSCTEW-_-E

Note: Within IBM Planning Analytics 2.0, only the IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by security vulnerabilities.

Recommended next steps:

It is strongly recommended that you apply the most recent security update:

• If you are on PA Local (the on premise version) we recommend updating to PAW Release 72 immediately
• If you are on PA Cloud (SaaS), the patch will be applied on December 21, 2021

You can download release 72 via the following link:

• https://www.ibm.com/support/pages/node/6528420

If you have any questions or concerns, please contact John Pra Sisto.