Fix Pack Releases: 9.5.2
Posted: Sat Aug 30, 2014 8:05 pm
For those who are unaware this morning IBM released a bunch of fix pack / interim fixes for the three main current versions, 9.5.2, 10.1 and 10.2. For the most part they relate to security. I'll put a separate post for each version to allow any discussions to be held under the relevant version post.
For 9.5.2 the release is Cognos TM1 9.5.2 Fix Pack 3 Interim Fix 5. (I'm assuming that everyone who is on 9.5.2 already has FP3; if you don't, you should since it cuts down (but doesn't entirely remove) the accursed "clipboard is in use" errors in active forms as well as addressing a whole bunch of PMRs, way too many to list in this post.)
IF 5 (the main page for which will be found here), is a server only release which addresses three security vulnerabilities:
CVE-2014-0224, which is described as "OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic";
CVE-2014-0411, which is described as "Timing differences based on validity of TLS messages can be exploited to decrypt the entire session. The exploit is not trivial, requiring a man-in-the-middle position and a long time to complete"; and
CVE-2014-0863, described as "A security vulnerability has been discovered in IBM Cognos TM1 resulting in unencrypted passwords found in memory on client". (How a "server only" fix rectifies that isn't clear.)
For 9.5.2 the release is Cognos TM1 9.5.2 Fix Pack 3 Interim Fix 5. (I'm assuming that everyone who is on 9.5.2 already has FP3; if you don't, you should since it cuts down (but doesn't entirely remove) the accursed "clipboard is in use" errors in active forms as well as addressing a whole bunch of PMRs, way too many to list in this post.)
IF 5 (the main page for which will be found here), is a server only release which addresses three security vulnerabilities:
CVE-2014-0224, which is described as "OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic";
CVE-2014-0411, which is described as "Timing differences based on validity of TLS messages can be exploited to decrypt the entire session. The exploit is not trivial, requiring a man-in-the-middle position and a long time to complete"; and
CVE-2014-0863, described as "A security vulnerability has been discovered in IBM Cognos TM1 resulting in unencrypted passwords found in memory on client". (How a "server only" fix rectifies that isn't clear.)