IBM Support

Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-45046)

Security Bulletin


Summary

IBM Cognos Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Analytics as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-45046) vulnerability. IBM Cognos Analytics has upgraded Apache Log4j to v2.16. This update also addresses CVE-2021-44228. Please note that this Security Bulletin has been superseded by Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerabilities (CVE-2021-45105, CVE-2021-44832). See References section below.

Vulnerability Details

CVEID:   CVE-2021-45046
DESCRIPTION:   Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

IBM Cognos Analytics 11.2.x

IBM Cognos Analytics 11.1.x

IBM Cognos Analytics 11.0.6 to 11.0.13 FP4

Remediation/Fixes

Two links have been provided for each Interim Fix. The majority of clients will access the Interim Fix via the link under Fix Version. For clients who have IBM Cognos Analytics by way of another product such as IBM Planning Analytics, IBM Cognos Controller, IBM OpenPages, etc. you will access the Interim Fix via the link under the Bundled Customers.

Affected Version

Fix Version

Bundled Customers

IBM Cognos Analytics 11.2.x

IBM Cognos Analytics 11.2.1 Interim Fix 3

IBM Cognos Analytics 11.2.1 Interim Fix 3 (Bundled)

IBM Cognos Analytics 11.1.x

IBM Cognos Analytics 11.1.7 Interim Fix 9 IBM Cognos Analytics 11.1.7 Interim Fix 9 (Bundled)

IBM Cognos Analytics 11.0.6 to 11.0.13 FP4

IBM Cognos Analytics 11.0.13 Interim Fix 5

IBM Cognos Analytics 11.0.13 Interim Fix 5 (Bundled)

CVE-2021-45046 and CVE-2021-44228 have been remediated on all IBM Cognos Analytics on Cloud environments.

Workarounds and Mitigations

The IBM Cognos Analytics team have developed a “no-upgrade” option for our “On Prem” (local installation) customers.

The single version of the patch is applicable to IBM Cognos Analytics versions 11.0.6 to 11.0.13 FP4, 11.1.x and 11.2.x.



The log4jSafeAgent file that is provided for Cognos Analytics modifies the class byte code at the Java startup time. It removes the vulnerable JNDI lookup, and enforces the StrSubstitutor recursion limit without altering the installed product.

It effectively rewrites the “org/apache/logging/log4j/core/lookup/JndiLookup” class to remove its content during IBM Cognos Analytics start up.

To get the patch and detailed instructions, click this link: log4jSafeAgent

Bundle Customers can use the following link: log4jSafeAgent Bundled

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

Change History

20 April 2022 Updated Fix Version links for CA 11.x Bundle Customers to point to latest Interim Fix that address Apache log4j vulnerabilities
13 Jan 2022 Updated Fix Version links for Bundle Customers to point to latest Interim Fixes that address Apache log4j vulnerabilities
10 Jan 2022: Updated Fix Version titles to reflect updated latest IF version available. Updated the reference to the latest Security Bulletin that supersedes this one. Added more technical context to the Workarounds / Mitigations section and clarified the different links available in the Remediation / Fixes section.
22 Dec 2021: IBM Cloud and Cloud Hosted instances remediation completion added to Remediation/Fixes
21 Dec 2021: Modified Mitigation instructions to point to .jar and .pdf
20 Dec 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"Cognos Analytics"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.2, 11.1, 11.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
20 April 2022

UID

ibm16528388