Researchers investigating the most critical Log4j vulnerability, CVE-2021-44228, have now highlighted 2 additional, related vulnerabilities of concern: CVE-2021-45046 and CVE-2021-45101. QueBIT and our partners have been quick to act in addressing and monitoring for these vulnerabilities in their software, but because the situation is still evolving customers should continue to check for further updates. The following are the latest updates from QueBIT and our partners regarding Log4j vulnerabilities since our original Log4j notice:
Anaplan
Anaplan continues to review new information about Log4j vulnerabilities and are closely monitoring their environments. An updated release of the Anaplan Connector for MuleSoft from December 23, 2021 addresses the three vulnerabilities listed above for that component.
IBM Cognos Analytics (CA) & Planning Analytics (PA)
Additional patch releases have been provided by IBM:
- CA: Patch releases (for 11.2.x, 11.1.x, and 11.0.6 to 11.0.13 FP4) and workarounds are available for CVE-2021-44228 and CVE-2021-45046 vulnerabilities. More information can be found here.
- PA: PA Workspace (PAW) is the only PA component impacted, and all three vulnerabilities listed above are addressed in PAW 2.0.72. Customers should take steps to update to this version as soon as possible, even if you had previously updated to PAW 2.0.71. More information can be found here.
IBM CA and PA Cloud customers have already been upgraded to these patch releases. For all other IBM software, please monitor IBM’s update page on the Apache Log4j vulnerabilities here.
QueBIT Software
Euclid Studio is the only QueBIT software that is impacted, and version 4.3.2.0, available in our software portal, addresses CVE-2021-44228 and CVE-2021-45046 vulnerabilities.
Workday Adaptive Planning
The following is an excerpt of the latest Log4j update from Workday’s Information Security and Trust page:
Dec 22, 2021: All environments we have identified containing Customer Data running Log4j have been updated or patched to mitigate the issues identified in CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, and CVE-2021-4105. We continue to follow all Log4j advisories and software updates in accordance with our risk assessment processes. We will share Log4j version information for customer-installed products to coincide with the scheduled service update. [W]e have found no indication to date that Customer Data, or environments containing Customer Data, have been affected by Log4j vulnerabilities.
Please do not hesitate to reach out to your QueBIT contacts, or email us at info@quebit.com if you have any additional questions.
In the two decades since QueBIT was founded, we have often been puzzled by the slow pace of change in enterprise planning and performance management. As recently as 2019 we attended a CFO symposium, only to be surprised at how the case study presentations around revenue and expense planning, headcount and capital planning, and variance and profitability analysis were little different from spreadsheet-centric presentations we had seen ten years before, and how few finance organizations had embraced technology to support data extraction, data governance and modeling their businesses.
