IBM Support

Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-45046)

Security Bulletin


Summary

IBM Cognos Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Analytics as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-45046) vulnerability. IBM Cognos Analytics has upgraded Apache Log4j to v2.16. This update also addresses CVE-2021-44228. Please note that this Security Bulletin has been superseded by Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerabilities (CVE-2021-45105, CVE-2021-44832). See References section below.

Vulnerability Details

CVEID:   CVE-2021-45046
DESCRIPTION:   Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

IBM Cognos Analytics 11.2.x

IBM Cognos Analytics 11.1.x

IBM Cognos Analytics 11.0.6 to 11.0.13 FP4

Remediation/Fixes

Two links have been provided for each Interim Fix. The majority of clients will access the Interim Fix via the link under Fix Version. For clients who have IBM Cognos Analytics by way of another product such as IBM Planning Analytics, IBM Cognos Controller, IBM OpenPages, etc. you will access the Interim Fix via the link under the Bundled Customers.

Affected Version

Fix Version

Bundled Customers

IBM Cognos Analytics 11.2.x

IBM Cognos Analytics 11.2.1 Interim Fix 3

IBM Cognos Analytics 11.2.1 Interim Fix 3 (Bundled)

IBM Cognos Analytics 11.1.x

IBM Cognos Analytics 11.1.7 Interim Fix 9 IBM Cognos Analytics 11.1.7 Interim Fix 9 (Bundled)

IBM Cognos Analytics 11.0.6 to 11.0.13 FP4

IBM Cognos Analytics 11.0.13 Interim Fix 5

IBM Cognos Analytics 11.0.13 Interim Fix 5 (Bundled)

CVE-2021-45046 and CVE-2021-44228 have been remediated on all IBM Cognos Analytics on Cloud environments.

Workarounds and Mitigations

The IBM Cognos Analytics team have developed a “no-upgrade” option for our “On Prem” (local installation) customers.

The single version of the patch is applicable to IBM Cognos Analytics versions 11.0.6 to 11.0.13 FP4, 11.1.x and 11.2.x.



The log4jSafeAgent file that is provided for Cognos Analytics modifies the class byte code at the Java startup time. It removes the vulnerable JNDI lookup, and enforces the StrSubstitutor recursion limit without altering the installed product.

It effectively rewrites the “org/apache/logging/log4j/core/lookup/JndiLookup” class to remove its content during IBM Cognos Analytics start up.

To get the patch and detailed instructions, click this link: log4jSafeAgent

Bundle Customers can use the following link: log4jSafeAgent Bundled

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

Change History

20 April 2022 Updated Fix Version links for CA 11.x Bundle Customers to point to latest Interim Fix that address Apache log4j vulnerabilities
13 Jan 2022 Updated Fix Version links for Bundle Customers to point to latest Interim Fixes that address Apache log4j vulnerabilities
10 Jan 2022: Updated Fix Version titles to reflect updated latest IF version available. Updated the reference to the latest Security Bulletin that supersedes this one. Added more technical context to the Workarounds / Mitigations section and clarified the different links available in the Remediation / Fixes section.
22 Dec 2021: IBM Cloud and Cloud Hosted instances remediation completion added to Remediation/Fixes
21 Dec 2021: Modified Mitigation instructions to point to .jar and .pdf
20 Dec 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"Cognos Analytics"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.2, 11.1, 11.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
20 April 2022

UID

ibm16528388