Article - CS359007

Apache Log4j 2.x Security Vulnerability Impact on IBM Cognos

Modified: 07-Jan-2022   

Applies To

  • Windchill PDMLink 11.1 M020
  • Windchill PDMLink
  • Windchill PDMLink
  • Windchill PDMLink 11.0 M030


Last Update:  1/7/2022  1:00PM EST (see version history below)

A critical zero-day vulnerability has been reported in the 3rd party library log4j.  This article has been created to help provide customers with information and recommended actions related to Cognos, as a 3rd party supported integrated product with Windchill. 

The analysis and investigation is on-going.  As new vulnerabilities in Apache Log4j are reported or new recommended mitigations are identified, this article will be updated.  Check back regularly for additional updates to ensure you have the latest details.

Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

An additional less critical vulnerability has also been reported which is related to the above CVE.  It is recommended to address this on priority as well.

Vulnerable Apache log4j versions for above CVEs:  all versions from 2.0-beta9 to 2.15.0

The following CVE was reported by Apache against log4j 2.16:
Base CVSS Score: 7.5   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/I:N/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.16

The following CVE was reported by Apache against Log4j 2.17:
Base Score: 6.6  CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.17.0.

Refer to Apache article for more details:

Version History Updates:
Date & Time of UpdateComments
12/14/2021 6:00PMESTInitial Content
12/15/2021 6:00 PM ESTUpdated to include CVE-2021-45046
12/16/2021 5:00PM ESTAdded link to IBM interim fixes
12/17/2021 5:00PM ESTUpdated Resolution to include steps to apply the IBM provided hotfix
12/20/2021 6:00PM ESTAdded CVE-2021-45105
Added clarification in step 6 of the provided workaround
12/23/2021Fixed release specified in Windchill Release version details table
Added links to IBM security bulletins for Cognos
Clarified multiple steps in the steps to apply Cognos hotfix
Added notes for existing log4j jars in Installation
12/29/2021Updated to include CVE-2021-44832
Updated to include WIndchill 11.0 M030
1/5/2022Additional clarification provided for Notes on existing log4j jars in Installation
1/6/2022, 1/7/2022Clarified details in some steps for applying the Cognos Hotfix
This is a PDF version of Article CS359007 and may be out of date. For the latest version click