Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities

Summary

The Planning Analytics Workspace component of IBM Planning Analytics is affected by vulnerabilities . These have been addressed in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace and all IBM Planning Analytics Cloud Data Centers have been updated.

Vulnerability Details

CVEID:CVE-2020-4670
**DESCRIPTION:**IBM Planning Analytics connects to a Redis server. The Redis server, an in-memory data structure store, running on the remote host is not protected by password authentication. A remote attacker can exploit this to gain unauthorized access to the server.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186401 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2020-4669
**DESCRIPTION:**IBM Planning Analtyics connects to a MongoDB server. MongoDB, a document-oriented database system, is listening on the remote port, and it is configured to allow connections without password authentication. A remote attacker can gain unauthorized access to the database.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186400 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

IBM Planning Analytics Local 2.0

IBM Planning Analytics Cloud 2.0

Remediation/Fixes

The recommended solution is to apply the most recent security update:

Download IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 63 from Fix Central.

The applicable vulnerabilities have been addressed on all IBM Planning Analytics Cloud Data Centers.

Workarounds and Mitigations

None