Apache Log4j 2.x Security Vulnerability Impact on IBM Cognos
- Windchill PDMLink 11.1 M020
- Windchill PDMLink 126.96.36.199
- Windchill PDMLink 188.8.131.52
- Windchill PDMLink 11.0 M030
A critical zero-day vulnerability has been reported in the 3rd party library log4j. This article has been created to help provide customers with information and recommended actions related to Cognos, as a 3rd party supported integrated product with Windchill.
The analysis and investigation is on-going. As new vulnerabilities in Apache Log4j are reported or new recommended mitigations are identified, this article will be updated. Check back regularly for additional updates to ensure you have the latest details.
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
An additional less critical vulnerability has also been reported which is related to the above CVE. It is recommended to address this on priority as well.
Vulnerable Apache log4j versions for above CVEs: all versions from 2.0-beta9 to 2.15.0
The following CVE was reported by Apache against log4j 2.16:
Base CVSS Score: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/I:N/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.16
The following CVE was reported by Apache against Log4j 2.17:
Base Score: 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.17.0.
Refer to Apache article for more details:
Version History Updates:
|Date & Time of Update||Comments|
|12/14/2021 6:00PMEST||Initial Content|
|12/15/2021 6:00 PM EST||Updated to include CVE-2021-45046|
|12/16/2021 5:00PM EST||Added link to IBM interim fixes|
|12/17/2021 5:00PM EST||Updated Resolution to include steps to apply the IBM provided hotfix|
|12/20/2021 6:00PM EST||Added CVE-2021-45105|
Added clarification in step 6 of the provided workaround
|12/23/2021||Fixed release specified in Windchill Release version details table|
Added links to IBM security bulletins for Cognos
Clarified multiple steps in the steps to apply Cognos hotfix
Added notes for existing log4j jars in Installation
|12/29/2021||Updated to include CVE-2021-44832|
Updated to include WIndchill 11.0 M030
|1/5/2022||Additional clarification provided for Notes on existing log4j jars in Installation|
|1/6/2022, 1/7/2022||Clarified details in some steps for applying the Cognos Hotfix|