IBM produces a great deal of information for clients and business partners to help support the ongoing use of Planning Analytics (PA). One communication tool they have is based on subscribing by product to a list of possible notifications. For example, if you are a PA administrator, you may find the general “News” notifications useful, while someone who provides IT support for the PA platform may be most interested in the “Downloads & Drivers” notifications.
For this article, we are after the “FLASH: Security Bulletins” that are often emailed when a new release/patch of Planning Analytics (PA), Planning Analytics Workspace (PAW), Planning Analytics Spreadsheet Services (PASS(TM1Web)) becomes available on IBM Fix Central. Basically, a notice is sent to apply a software update that will mitigate one or more software security vulnerabilities.
Read on to learn how to subscribe to “FLASH: Security Bulletins” (or any other available notifications), followed by some tips on how to interpret them. At the end, direct links to some of the most recent security bulletins are provided for your convenience.
If you have an IBMid for some reason, such as using PA Cloud, for logging support cases, or downloading new releases of software, you can enable receiving the periodic email notifications. If you do not have an IBM ID, you can create an IBMid at this link or just click any “Create an IBMid” link you may come across at IBM.com and then enable the notifications. The following URL https://www.ibm.com/support/mynotifications will bring you to a “My Notifications” screen after you log in to IBM where you can build a list of IBM products you wish to receive notices about. Using the search box for “Planning Analytics” will return four hits:
In the last two cases, “on-premises” also includes when your servers are virtual machines hosted by a large cloud provider. In any event, there is a content overlap between the subscribed products if you subscribe to more than one. However, given my list of subscriptions, the overlap seems to be actively managed, and I only receive unique, consolidated notices and no duplicates.
Subscribing to a product opens a “Select document types” windows for choosing the types of notifications you wish to receive. Each product subscribed to will have a separate list of document types so each product’s notifications can be fine-tuned.
Each subscribed product will have a “View” link under a “Notifications” column that will give a historical list of prior notifications for that product. A link is also provided for setting up an “RSS/Atom feed” for the notifications. The “Edit” link for each product under “Document Types” will re-open the selection window that lists all the types of notifications available for the product. The first two, “Security bulletin” and “Flashes” are probably the most crucial, as you will want to receive the latest information on these types of items. Other notification documents type such as “News”, “Fixes”, “Troubleshooting” and many more are available and informative. I select all the document types for several IBM products that I follow. I do not feel inundated by email at all, but I do feel informed in a timely way. The final column of the “My Notifications” window is the option to “Unsubscribe” from receiving notifications for a particular product. The critical takeaway is that you should subscribe to the notifications, or at least make sure someone at your organization is subscribed.
Now these “Security bulletin” and “Flash” notifications can be alarming when they arrive in your inbox given the ever-increasing risks from internet hackers and criminal organizations and after hearing about massive data breaches that are reported in the news. These “Security Bulletins” will often list several software issues, some very recently discovered, and will typically contain a remedy that usually takes the form of applying a new IBM Fix Central product update file to PA, PAW, or PASS. (Note that IBM Fix Central requires extra permissions that a basic, self-created IBMid does not have).
Much of the listed software vulnerabilities are not an issue when a good corporate firewall is in place and all users are properly credentialed. But that is the devil in the detail. By various means, nefarious actors do periodically get access to the internal network which is a prime attack vector for many software vulnerabilities. Another aspect to be considered is that many vulnerabilities are only “theoretically” exploitable, that actual exploit code does not exist, even “in the lab”...yet. All this information has to be evaluated before a course of action can be determined.
The question then becomes are the risks bad enough to warrant a software upgrade which is potentially a large task. Sometimes extensive change control paradigms are at play and upgrades take a much, much longer time than the actual installation process takes. Everything should be adequately tested before moving a change to a “Production” environment. The answer on upgrading or not depends on how well corporate security has been able to block external and internal intrusions in the past, and the relative risk scores of the vulnerabilities.
The Common Vulnerability Scoring System (CVSS) is used to rate the severity and risk of computer system security on a 0-10 scale. Scores less than 4.0 are of low risk, 4.0 to 6.9 are medium risk, 7.0 to 8.9 are high risk, and 9.0 and over are critical risk. IBM will share with you these CVSS scores of the security vulnerabilities in their security notifications. These scores are under the assumption that the attacker has already located and identified the vulnerability. A PA/PAW/PASS server behind a corporate firewall hides the “location” and “identity” of the vulnerability from all outsiders but could be exposed to internal intruders. Not knowing that a company has a PA/PAW/PASS server suppresses the risk of the vulnerability but is not a primary defense. However, if internal network break-ins are frequent, then the CVSS score may be as accurate inside as it is outside the corporate firewall. These are quantitative/qualitative evaluations that must occur whenever an assessment of the risk for a vulnerability or list of vulnerabilities is undertaken. There are three-letter government agencies that are basically impregnable to hacking, and there are some government agencies that are like sieves. The latter should patch software with a greater urgency and frequency than the former.
The “firewall” is a big, important safety barrier, but some companies have PA and PAW right on the internet due to the nature of their user base. In that case, those clients should consider upgrading PA and PAW as often as it gets patched, even when the CVSS scores are low. The theoretical exploits are more tangible if a server can be easily port-scanned or probed over the internet from anywhere in the world, than if a deviant has to sneak into the building after hours to attempt hacking the network in-person.
To summarize, every security notification is important, but not every warning needs to be acted upon. Make sure you get the information you need to respond to issues, and timely notifications from IBM will help. Your relationship to an IBM Platinum Partner such as QueBIT Consulting, LLC, will also help you to navigate reaction plans to security concerns.
Last 5 IBM PA Security Bulletins (as of September 1, 2021):