Article - CS359007

Apache Log4j 2.x Security Vulnerability Impact on IBM Cognos

Modified: 11-May-2022   


Applies To

  • Windchill PDMLink 11.0 M030
  • Windchill PDMLink 11.1 M020
  • Windchill PDMLink 11.2.1.0
  • Windchill PDMLink 12.0.2.0

Description

Last Update:  3/29/2022  11:30AM EST (see version history below)

A critical zero-day vulnerability has been reported in the 3rd party library log4j.  This article has been created to help provide customers with information and recommended actions related to Cognos, as a 3rd party supported integrated product with Windchill. 

The analysis and investigation is on-going.  As new vulnerabilities in Apache Log4j are reported or new recommended mitigations are identified, this article will be updated.  Check back regularly for additional updates to ensure you have the latest details.

CVE-2021-44228
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

An additional less critical vulnerability has also been reported which is related to the above CVE.  It is recommended to address this on priority as well.
CVE-2021-45046

Vulnerable Apache log4j versions for above CVEs:  all versions from 2.0-beta9 to 2.15.0

The following CVE was reported by Apache against log4j 2.16:
CVE-2021-45105
Base CVSS Score: 7.5   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/I:N/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.16

The following CVE was reported by Apache against Log4j 2.17:
CVE-2021-44832
Base Score: 6.6  CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.17.0.

Refer to Apache article for more details:
https://logging.apache.org/log4j/2.x/security.html


Version History Updates:
Date & Time of UpdateComments
12/14/2021 6:00PMESTInitial Content
12/15/2021 6:00 PM ESTUpdated to include CVE-2021-45046
12/16/2021 5:00PM ESTAdded link to IBM interim fixes
12/17/2021 5:00PM ESTUpdated Resolution to include steps to apply the IBM provided hotfix
12/20/2021 6:00PM ESTAdded CVE-2021-45105
Added clarification in step 6 of the provided workaround
12/23/2021Fixed release specified in Windchill Release version details table
Added links to IBM security bulletins for Cognos
Clarified multiple steps in the steps to apply Cognos hotfix
Added notes for existing log4j jars in Installation
12/29/2021Updated to include CVE-2021-44832
Updated to include WIndchill 11.0 M030
1/5/2022Additional clarification provided for Notes on existing log4j jars in Installation
1/6/2022, 1/7/2022Clarified details in some steps for applying the Cognos Hotfix
1/19/2022Updated providing recommended CPS Update for Cognos version 11.1.7 IF8.
1/31/2022Updated IBM analysis for CVE-2021-45105 and CVE-2021-44832.  Both also addressed with IBM Cognos Analytics 11.1.7 IF8.
2/2/2022Clarification on IF8 details
2/3/2022Added details for Windchill releases that include Cognos Analytics 11.1.7 IF8
3/18/2022Clarified details for applying Cognos Analytics 11.1.7 IF8
3/29/2022Confirming release date for Windchill 11.1 M020 CPS24 as March 16th
5/11/2022Update to provide details related to Cognos Analytics 11.1.7 IF9

 
This is a printer-friendly version of Article 359007 and may be out of date. For the latest version click CS359007