Article - CS359007
Apache Log4j 2.x Security Vulnerability Impact on IBM Cognos
Modified: 11-May-2022
Applies To
- Windchill PDMLink 11.0 M030
- Windchill PDMLink 11.1 M020
- Windchill PDMLink 11.2.1.0
- Windchill PDMLink 12.0.2.0
Description
Last Update: 3/29/2022 11:30AM EST (see version history below)
A critical zero-day vulnerability has been reported in the 3rd party library log4j. This article has been created to help provide customers with information and recommended actions related to Cognos, as a 3rd party supported integrated product with Windchill.
The analysis and investigation is on-going. As new vulnerabilities in Apache Log4j are reported or new recommended mitigations are identified, this article will be updated. Check back regularly for additional updates to ensure you have the latest details.
CVE-2021-44228
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
An additional less critical vulnerability has also been reported which is related to the above CVE. It is recommended to address this on priority as well.
CVE-2021-45046
Vulnerable Apache log4j versions for above CVEs: all versions from 2.0-beta9 to 2.15.0
The following CVE was reported by Apache against log4j 2.16:
CVE-2021-45105
Base CVSS Score: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/I:N/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.16
The following CVE was reported by Apache against Log4j 2.17:
CVE-2021-44832
Base Score: 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.17.0.
Refer to Apache article for more details:
https://logging.apache.org/log4j/2.x/security.html
Version History Updates:
A critical zero-day vulnerability has been reported in the 3rd party library log4j. This article has been created to help provide customers with information and recommended actions related to Cognos, as a 3rd party supported integrated product with Windchill.
The analysis and investigation is on-going. As new vulnerabilities in Apache Log4j are reported or new recommended mitigations are identified, this article will be updated. Check back regularly for additional updates to ensure you have the latest details.
CVE-2021-44228
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
An additional less critical vulnerability has also been reported which is related to the above CVE. It is recommended to address this on priority as well.
CVE-2021-45046
Vulnerable Apache log4j versions for above CVEs: all versions from 2.0-beta9 to 2.15.0
The following CVE was reported by Apache against log4j 2.16:
CVE-2021-45105
Base CVSS Score: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/I:N/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.16
The following CVE was reported by Apache against Log4j 2.17:
CVE-2021-44832
Base Score: 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.17.0.
Refer to Apache article for more details:
https://logging.apache.org/log4j/2.x/security.html
Version History Updates:
Date & Time of Update | Comments |
12/14/2021 6:00PMEST | Initial Content |
12/15/2021 6:00 PM EST | Updated to include CVE-2021-45046 |
12/16/2021 5:00PM EST | Added link to IBM interim fixes |
12/17/2021 5:00PM EST | Updated Resolution to include steps to apply the IBM provided hotfix |
12/20/2021 6:00PM EST | Added CVE-2021-45105 |
Added clarification in step 6 of the provided workaround | |
12/23/2021 | Fixed release specified in Windchill Release version details table |
Added links to IBM security bulletins for Cognos | |
Clarified multiple steps in the steps to apply Cognos hotfix | |
Added notes for existing log4j jars in Installation | |
12/29/2021 | Updated to include CVE-2021-44832 |
Updated to include WIndchill 11.0 M030 | |
1/5/2022 | Additional clarification provided for Notes on existing log4j jars in Installation |
1/6/2022, 1/7/2022 | Clarified details in some steps for applying the Cognos Hotfix |
1/19/2022 | Updated providing recommended CPS Update for Cognos version 11.1.7 IF8. |
1/31/2022 | Updated IBM analysis for CVE-2021-45105 and CVE-2021-44832. Both also addressed with IBM Cognos Analytics 11.1.7 IF8. |
2/2/2022 | Clarification on IF8 details |
2/3/2022 | Added details for Windchill releases that include Cognos Analytics 11.1.7 IF8 |
3/18/2022 | Clarified details for applying Cognos Analytics 11.1.7 IF8 |
3/29/2022 | Confirming release date for Windchill 11.1 M020 CPS24 as March 16th |
5/11/2022 | Update to provide details related to Cognos Analytics 11.1.7 IF9 |
This is a printer-friendly version of Article 359007 and may be out of date. For the latest version click CS359007