TM1 Forum

For anyone who missed it, there's been a Java-related security alert relating of course to TM1 Applications ( ) for 10.1, 10.1.1 and 10.2.

Iboglix Security Bulletin wrote:DESCRIPTION: An unspecified vulnerability in Java to the Java Runtime Environment Libraries component.

The products listed below have been determined to contain service APIs that allow content to be passed onto the affected APIs in Java. Attack vectors can take advantage of this exploit, which can effectively result in a hanging Java process.

How you tell the difference between the system being compromised and actually hanging vs Java just being its usual slow, bloated, cr@ppily performing self, waddling through its "It'll get there eventually" code execution cycle is not referred to in the bulletin.

Iboglix Security Bulletin wrote:The attack does require authentication, but may be exploited remotely, but some degree of specialized knowledge and techniques are required. An exploit would not impact the confidentiality of information or data integrity but the availability of the system could be compromised.

The recommendation is to upgrade to:
10.1.0 (Windows): Install 10.1 FP1 and then Interim Fix 3
10.1.0 (Unix and Linux): Install 10.1 FP1 and then contact IBM Technical Support to obtain the interim fix
10.1.1 (all platforms): Install 10.1.1 FP2
10.2: Install IBM Cognos TM1 10.2.0 FP1

This would probably explain the early release of 10.2 FP1, which was originally scheduled for next month. However that pull forward does make me wonder whether everything that was supposed to be fixed in it actually was.