High Severity

Security Bulletin: IBM Cognos Controller is affected but not vulnerable to arbitrary code execution and SQL injection due to Apache Log4j v1 vulnerabilities (CVE-2022-23305, CVE-2022-23302, CVE-2021-4104)

Share this post:

Apache Log4j is used by IBM Cognos Controller as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j vulnerabilities (CVE-2022-23305, CVE-2022-23302, CVE-2021-4104). Although IBM Cognos Controller is not vulnerable to the listed CVEs, all instances of Apache Log4j v1.x were proactively upgraded to Apache Log4j v2.17.1 for the IBM Cognos Controller 10.4.2 and 10.4.1 streams.

CVE(s): CVE-2022-23305, CVE-2022-23302, CVE-2021-4104

Affected product(s) and affected version(s):

IBM Cognos Controller 10.4.2

IBM Cognos Controller 10.4.1

IBM Cognos Controller 10.4.0


Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6591309
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048

More stories

Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Event Streams

September 30, 2022 | High Severity

There are a number of vulnerabilities in Node.js that is used by IBM Event Streams. ...read more

Security Bulletin: The IBM® Engineering Requirements Management DOORS/DWA fixes for Log4j vulnerabilities CVE-2021-4104

September 30, 2022 | High Severity

Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. The IBM® Engineering Requirements Management DOORS/DWA product versions 9.6.1.x, 9.7.0.x, 9.7.1.x and 9.7.2.x are vulnerable to this attack, it has been addressed in this bulletin. ...read more

Security Bulletin: Multiple Vulnerabilities in Rational Change Fix Pack 04 for 5.3.2

September 30, 2022 | High Severity

Vulnerabilities in the Jetty 9.4.42 and earlier component shipped with Rational Change may affect the security of the product. ...read more