A critical vulnerability in Apache Log4j 2 impacting versions 2.0-beta9 through 2.12.1 and versions 2.13.0 through 2.14.1 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-44228.
Cognos has been identified as potentially being affected by CVE-2021-44228. IBM’s Cognos is included in Flexera Analytics and is used as a reporting engine for FlexNet Manager Suite and FlexNet Manager for Engineering Applications. This article describes possible mitigation steps that can be applied to Cognos, as used in Flexera Analytics, until a formal hotfix is issued.
Affected users should do one of the following:
Follow the IBM remediation options.
Remove Flexera Analytics (Cognos) from the computer where it is installed.
A summary of IBM’s recommendations to its clients:
Removal of JndiLookup Class
To remove the JndiLookup class on an installation of Flexera Analytics (Cognos):
1. Make a backup copy of log4j-core-2.7.jar found here (where "<number>" is a number that depends on the Cognos version installed): C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\dataset-service\workarea\org.eclipse.osgi\<number>\0\.cp
2. Copy the same log4j-core-2.7.jar file to a directory you have write access to.
3. Open the copy of log4j-core-2.7.jar in a program like 7Zip.
4. Delete the file JndiLookup.class. 5. Save the updated .jar file archive.
6. Copy the updated log4j-core-2.7.jar file back to the original location: C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\dataset-service\workarea\org.eclipse.osgi\<version>\0\.cp
7. Also replace the file in this location: C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\cognosserver\workarea\org.eclipse.osgi\<version>\0\.cp
To uninstall Cognos, uninstall the IBM Cognos Analytics application through the Windows Add Remove Programs applet:
Note: This will result in all Flexera Analytics functions being unavailable to users.
2021-12-15 9:00am CST: Initial article.
2021-12-15 7:20pm CST: Update details to allow for directory names which may vary based on the version of Cognos.
on Dec 15, 202108:58 AM - edited on Jul 18, 202212:11 PM by HollyM