This document provides alternative ways to configure the Flexera Analytics Cognos server to mitigate security vulnerabilities caused by Apache Log4j. Apache Log4j is used by IBM Cognos Analytics as part of its logging infrastructure. These fixes address the exposure to the Apache Log4j vulnerabilities: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832.
Note: The configuration change is applicable to FlexNet Manager Suite on-premises versions from 2017 R2 to 2021 R1 (which included Cognos Analytics versions 11.0.6 – 11.0.13).
Broadly speaking, you may choose any one of these three ways to remove the security vulnerabilities:
Choose the approach that best aligns with your security policies and practices. Next, collect the necessary resources.
All files required for any of the above approaches are included in one zip archive available from the Product and License Center. Follow these steps to secure the materials you need.
To download the resource file for log4j mitigation of Flexera Analytics:
Each of the following approaches uses the resources within the matching folder. You may ignore folders that do not match your chosen approach.
Now step forward to the approach you have selected from the introduction to Method. Each approach assumes that you are logged into your Cognos server using an account with administrator privileges.
This approach installs the log4jSafeAgent file (provided by IBM) that modifies the class byte code at Java startup time. It disables the vulnerable JndiLookup class, and enforces the StrSubstitutor recursion limit, without altering the installed product.
To install the Analytics (Cognos) Server run-time patch:
Here is the sample code for step 7 in the above process.
Important: Ensure that the new javaagent parameter is added within the <start> section of the file only, and not anywhere else in the file. Otherwise, the process will not be successful even if the verification step (10 b) returns the expected entry.
This approach removes the affected contents of the JndiLookup file by running a downloaded installation patch on your existing Cognos server within your FlexNet Manager Suite implementation.
To install the IBM Cognos Server patch that replaces the JndiLookup file:
This process includes the steps both for a complete reinstallation, and also for a simplified, over-the-top installation. To complete this process, you must use an account on your Flexera Analytics server that has administrator permissions (to install a service).
Remember: The Flexera Analytics server must be accessible by its host name, rather than just its IP address. Do not use IP addresses anywhere in the Flexera Analytics settings.
This article assumes that you are reinstalling on an existing system, such that you already have:
To reinstall Flexera Analytics:
Tip: The installation script automatically handles extracting the contents of the archive at b.; and the executable that is extracted automatically installs 32-bit software on 32-bit systems, and 64-bit software on 64-bit operating systems.
Tip: Installation in either process may take some time to complete. After updating the configuration, the PowerShell script restarts the IBM Cognos service. If the script reports any difficulties restarting the service, it may be because of environmental issues, such as memory pressure. In this case, it is not necessary to run the PowerShell script again: you can try restarting the IBM Cognos service manually in Windows Service Manager.
Feb 16, 2022 05:54 PM