TM1 Forum

For those who are unaware this morning IBM released a bunch of fix pack / interim fixes for the three main current versions, 9.5.2, 10.1 and 10.2. For the most part they relate to security. I'll put a separate post for each version to allow any discussions to be held under the relevant version post.

For 10.1 the release is Cognos TM1 10.1.1.2 Interim Fix 1, the main page for which will be found here.

The fix lists for 10.1.1, 10.1.1 IF1, 10.1.1 FP1 and 10.1.1 FP2 will be found here. There are way too many to list in this post.

10.1.1.2 IF1 deals with four security issues:
CVE-2014-0224, which is described as "OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic";
CVE-2014-0411, which is described as " Timing differences based on validity of TLS messages can be exploited to decrypt the entire session. The exploit is not trivial, requiring a man-in-the-middle position and a long time to complete."' and
CVE-2013-4322, which is described as "Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544." (Why this should affect 10.1 isn't clear since as far as I know the change to Tomcat didn't happen until 10.2, but take the thing at its word);
CVE-2014-0863, described as "A security vulnerability has been discovered in IBM Cognos TM1 resulting in unencrypted passwords found in memory on client".

Updates
09 Mar 2015: IBM Cognos TM1 10.1.1.2 Interim Fix 3
08 May 2015: Cognos TM1 10.1.1.2 Interim Fix 4
21 Sep 2015: Cognos TM1 10.1.1.2 Interim Fix 5
08 Apr 2016: 10.1.1.2 Interim Fix 6 (10.1.1 FP2 IF6)
27 Jul 2016: 10.1.1.2 Interim Fix 7 (10.1.1 FP2 IF7)
13 Apr 2017: 10.1.1.2 Interim Fix 8 (10.1.1 FP2 IF8)

An interim fix for 10.1.1 FP2 has been released. Interim Fix 2 ( 10.1.1.2.2 (FP2 IF2) ) addresses some security issues which have been found in Java.

Evil smile? What evil smile?

For anyone who missed it there was a Flash alert about security vulnerabilities yesterday.

For 10.1 the recommendation is to update to Cognos TM1 10.1.1.2 Interim Fix 5.

I don't think this is any surprise to anyone, but just in case; IBM made an end of life announcement about 10.1 overnight. Support will end on 30 April next year (2017).

I'm a little late on this one, but 10.1.1.2 Interim Fix 6 (10.1.1 FP2 IF6) was released on 08 April 2016. Details, including a link to the release notes, will be found here.

IBM has just published a technote reminding people that 10.1 goes off support from 30 April 2017.

I doubt that this ins news to anyone, but it's germane to the thread at hand.

Someone clearly didn't like the news, though, since the Technote has received one vote of a 1 star rating.

There was a release for 10.1 this week as well as 10.2; IF8 is aimed at the security issues described here.