Flexera Analytics (Cognos) mitigation for Apache Log4j 2 vulnerability CVE-2021-44228
A critical vulnerability in Apache Log4j 2 impacting versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.14.1 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-44228.
IBM’s Cognos is included in Flexera Analytics, and is used as a reporting engine for FlexNet Manager Suite and FlexNet Manager for Engineering Applications. Cognos has been identified as potentially being affected by CVE-2021-44228. This article describes possible mitigation steps that may be applied to Cognos as used in Flexera Analytics until a formal hotfix is issued.
Affected users should do one of the following:
- Follow IBM remediation options.
- Remove Flexera Analytics (Cognos) from the computer where it is installed.
IBM remediation options
IBM has published general guidance and remediation options at the following location: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
This page states (amongst other things):
IBM’s recommendations to its clients
At this time, IBM recommends organizations running Apache Log4j take the following actions:
- Check for vulnerable versions of Apache Log4j in your environments and applications.
- Implement latest patch to production environments as soon as possible.
- Monitor IBM PSIRT for security bulletins
- Monitor for vendor patches as they become available
For log4j releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Removal of JndiLookup Class
To follow the above guidance to remove the JndiLookup class on an installation of Flexera Analytics (Cognos):
- Make a backup copy of log4j-core-2.7.jar found here (where "<number>" is be a number that depends on the Cognos version installed): C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\dataset-service\workarea\org.eclipse.osgi\<number>\0\.cp
- Copy the same log4j-core-2.7.jar file to a directory you have write access to.
- Open the copy of log4j-core-2.7.jar in a program like 7Zip (https://www.7-zip.org/)
- Delete the file JndiLookup.class
- Save the updated .jar file archive
- Copy the updated log4j-core-2.7.jar back to the original location: C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\dataset-service\workarea\org.eclipse.osgi\<version>\0\.cp
- Also replace the file in this location: C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\cognosserver\workarea\org.eclipse.osgi\<version>\0\.cp
To uninstall Cognos, uninstall the IBM Cognos Analytics application through the Windows Add Remove Programs applet:
This will result in all Flexera Analytics functions being unavailable to users.
2021-12-15 9:00am CST: Initial article.
2021-12-15 7:20pm CST: Update details to allow for directory names which may vary based on the version of Cognos.