As you probably are aware the Log4j vulnerability was exposed last week. IBM have just released a new version of Planning Analytics Workspace that addresses this vulnerability.
Versions of Planning Analytics Workspace Impacted by Log4j
The Log4j vulnerability impacts versions of Planning Analytics Workspace since version 2.0.57. Therefore, if you have applied a new version of PAW in the last year then you are affected.
Where to get an Updated version of PAW
Please head over to IBM’s Fix Central here and download PAW version 2.0.71, which contains the fix.
If you need instructions how to install the PAW upgrade to address Log4J, please contact Support.
How Urgent is the Upgrade?
If your PAW server is exposed to the internet, then our take on it is that you should schedule the upgrade urgently. If it is behind a corporate firewall and not available to the internet, then you should do the upgrade as soon as possible.
Synchronisation with Other PA Tools
Please also note that if you are upgrading PAW more than a couple of versions, you will need to upgrade TM1 (PA) Server, Planning Analytics for Excel and Planning Analytics Spreadsheet Services. The upgrades for all of these are available also at Fix Central.
What is Log4j?
The Log4j vulnerability is a method that attackers can hack systems that use Apache Log4j for logging.
Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.