Fix Pack Releases: 10.2 Series
Posted: Sat Aug 30, 2014 8:05 pm
For those who are unaware this morning IBM released a bunch of fix pack / interim fixes for the three main current versions, 9.5.2, 10.1 and 10.2. For the most part they relate to security. I'll put a separate post for each version to allow any discussions to be held under the relevant version post.
For 10.2 the release is Cognos TM1 10.2.0.2.1 (10.2.0 Fix Pack 2, Interim Fix 1), the main page for which will be found here.
The fix lists for the various fixpacks will be found here; there are way too many to list in this post.
10.2.0 FP2 IF1 deals with four security issues:
CVE-2014-0224, which is described as "OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic";
CVE-2014-0411, which is described as "Timing differences based on validity of TLS messages can be exploited to decrypt the entire session. The exploit is not trivial, requiring a man-in-the-middle position and a long time to complete";
CVE-2014-0863, described as "A security vulnerability has been discovered in IBM Cognos TM1 resulting in unencrypted passwords found in memory on client"; and
CVE-2014-0877 which is described as "The link generated when opening the Rights page for an application can be opened anywhere, without the need to log in."
The release notes for the various versions will be found below (this part of the post is updated as new patches are released):
10.2.0
10.2.0 FP1, which addressed a range of problems with various components of TM1
10.2.0 FP2
10.2.0 FP2 IF1
Cognos TM1 10.2.0.2 Interim Fix 6 (08 Apr 2016)
Cognos TM1 10.2.0.2 Interim Fix 8 (13 Apr 2017)
Cognos TM1 10.2.0.2 Interim Fix 9 (04 Aug 2017)
End Of Life notification. Support ends on 30 September 2018. (Announced 13 Sep 2017)
Cognos TM1 10.2.0.2 Interim Fix 10 (23 Jan 2018)
Cognos TM1 10.2.0.2 Interim Fix 24 (5 April 2018)
10.2.2
10.2.2 FP3 (released 24 Apr 2015, removed 12 May 2015).
10.2.2 FP4 (Released 16 Sep 2015).
10.2.2 FP5 (04 Mar 2016)
10.2.2 FP6 (22 Aug 2016)
IBM Cognos TM1 10.2.2 Fix Pack 5 Interim Fix 1 (08 Apr 2016)
IBM Cognos TM1 10.2.2 Fix Pack 6 Interim Fix 1 (06 Feb 2017)
IBM Cognos TM1 10.2.2 Fix Pack 7 (11 Apr 2017)
IBM Cognos TM1 10.2.2 Fix Pack 7 Interim Fix 1 (04 Aug 2017)
End Of Life notification. Support ends on 30 September 2019. (Announced 13 Sep 2017)
IBM Cognos TM1 10.2.2 FP7 IF5 and higher(21 Sep 17)
Cannot be downgraded to an earlier version. See this post.
IBM Cognos TM1 10.2.2 Fix Pack 7 Interim Fix 2 (23 Jan 2018)
IBM Cognos TM1 10.2.2 Fix Pack 7 Interim Fix 12 (05 April 2018)
IBM Cognos TM1 10.2.2 Fix Pack 7 Interim Fix 18 (03 December 2018)
IBM Cognos TM1 10.2.2 Fix Pack 7 Interim Fix 21 (18 April 2019)
IBM Cognos TM1 10.2.2 Fix Pack 7 Interim Fix 22 (28 Jun 2019)
For 10.2 the release is Cognos TM1 10.2.0.2.1 (10.2.0 Fix Pack 2, Interim Fix 1), the main page for which will be found here.
The fix lists for the various fixpacks will be found here; there are way too many to list in this post.
10.2.0 FP2 IF1 deals with four security issues:
CVE-2014-0224, which is described as "OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic";
CVE-2014-0411, which is described as "Timing differences based on validity of TLS messages can be exploited to decrypt the entire session. The exploit is not trivial, requiring a man-in-the-middle position and a long time to complete";
CVE-2014-0863, described as "A security vulnerability has been discovered in IBM Cognos TM1 resulting in unencrypted passwords found in memory on client"; and
CVE-2014-0877 which is described as "The link generated when opening the Rights page for an application can be opened anywhere, without the need to log in."
The release notes for the various versions will be found below (this part of the post is updated as new patches are released):
10.2.0
10.2.0 FP1, which addressed a range of problems with various components of TM1
10.2.0 FP2
10.2.0 FP2 IF1
Cognos TM1 10.2.0.2 Interim Fix 6 (08 Apr 2016)
Cognos TM1 10.2.0.2 Interim Fix 8 (13 Apr 2017)
Cognos TM1 10.2.0.2 Interim Fix 9 (04 Aug 2017)
End Of Life notification. Support ends on 30 September 2018. (Announced 13 Sep 2017)
Cognos TM1 10.2.0.2 Interim Fix 10 (23 Jan 2018)
Cognos TM1 10.2.0.2 Interim Fix 24 (5 April 2018)
10.2.2
10.2.2 FP3 (released 24 Apr 2015, removed 12 May 2015).
10.2.2 FP4 (Released 16 Sep 2015).
10.2.2 FP5 (04 Mar 2016)
10.2.2 FP6 (22 Aug 2016)
IBM Cognos TM1 10.2.2 Fix Pack 5 Interim Fix 1 (08 Apr 2016)
IBM Cognos TM1 10.2.2 Fix Pack 6 Interim Fix 1 (06 Feb 2017)
IBM Cognos TM1 10.2.2 Fix Pack 7 (11 Apr 2017)
IBM Cognos TM1 10.2.2 Fix Pack 7 Interim Fix 1 (04 Aug 2017)
End Of Life notification. Support ends on 30 September 2019. (Announced 13 Sep 2017)
IBM Cognos TM1 10.2.2 FP7 IF5 and higher(21 Sep 17)
Cannot be downgraded to an earlier version. See this post.
IBM Cognos TM1 10.2.2 Fix Pack 7 Interim Fix 2 (23 Jan 2018)
IBM Cognos TM1 10.2.2 Fix Pack 7 Interim Fix 12 (05 April 2018)
IBM Cognos TM1 10.2.2 Fix Pack 7 Interim Fix 18 (03 December 2018)
IBM Cognos TM1 10.2.2 Fix Pack 7 Interim Fix 21 (18 April 2019)
IBM Cognos TM1 10.2.2 Fix Pack 7 Interim Fix 22 (28 Jun 2019)