Live Updates: Apache Log4j CVE-2021-44228 Vulnerability in IBM CA-PA

 
 

As you’ve likely heard by now, there has recently been an extremely critical vulnerability identified in Apache Log4j. As you may also be aware, Cognos Analytics and Planning Analytics (TM1) both make use of Log4j (as do a myriad of other enterprise software products). While we don’t yet have information about fixes specifically for Cognos Analytics and Planning Analytics, we did want to go ahead share the information we do have.

IBM’s Product Security Incident Response Team is actively working the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam). It is recognized and being worked as a critical severity issue. Log4j version 2.15 fixes the vulnerability. Since Log4j is pervasive in CA and PA stacks, PMsquare believes that hotfixes/patches will eventually come down from IBM for at least more recent versions of both Planning Analytics and Cognos Analytics, and probably their periphery apps.

Updates & Fixes

New Guidance for Cognos Upgrades - 1/23/22

New guidance for customers that upgrade IBM Cognos Analytics after applying the no-upgrade instructions to address log4j v2 vulnerabilities -

  • It's an easy fix, but these issues might have been a real thorn in the side for customers in this situation. If you've applied the no-upgrade fix previously, then later attempt to upgrade your stack, you may experience enigmatic Query Service issues (XQE errors). The fix is to simply remove an argument in the xqe.config.custom.xml file modified previously with the no-upgrade work. Needs to be done on all app servers and restarted. You can see more about if this situation might apply to you and find exact details on fix in IBM Support document number 6549814.

New Cognos Interim Fixes & Non-upgrade Patch - 1/10/2022

IBM released two separate security bulletins late on 1/10/22. One which addresses CVE-2021-44228 (LDAP/JDNI endpoint and features vulnerability; CVSS bases score: 10) and the other which addresses both CVE-2021-44832 (JDBC Appender vulnerability; CVSS bases score: 6.6) and CVE-2021-45105 (uncontrolled recursion from self-referential lookups vulnerability; CVSS bases score: 7.5). The new fix packs take Apache Log4j references to 2.17.1, amongst other things.

  • Non-upgrade patch applicable to IBM Cognos Analytics versions 11.0.6 to 11.0.13 FP4, 11.1.x and 11.2.x - log4jSafeAgent


These fixes are being applied to IBM Cloud instances between now and 1/15. IBM strongly recommends applying this most recent security update.

PAW Remediation - 12/21/2021

The IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by the Log4j security vulnerability and a patch has been developed. Specifically, IBM Planning Analytics Workspace 2.0.57 and higher are affected. If you have one of the listed affected versions, it is strongly recommended that you apply the most recent security update: Download IBM Planning Analytics Local v2.0: Planning Analytics Workspace Release 72 from Fix Central as IBM has updated Planning Analytics Workspace to use Apache Log4j version 2.17 as noted here: Security Bulletin: IBM Planning Analytics 2.0: Apache Log4j Vulnerabilities (CVE-2021-45046 & CVE-2021-45105)

New Cognos Interim Fixes - 12/21/2021

New IBM Cognos Analytics interim fixes (upgrade) were made available overnight in which IBM Cognos Analytics has upgraded Apache log4j references to v2.16. We knew this was going to be a moving target…hence the latest IFs pointing to the latest patched Apache log4j version at time of CA patch development. 11.2.1 goes to IF2. 11.1.7 goes to IF7. 11.0.13 goes to IF4. This time, IBM included installers with the client and server patch files...so you no longer have to guess which installer version to use.

So, will this be the last interim fix released to address the log4j vulnerabilities? Possibly. It really depends on if further issues are found in Apache log4j 2.16. Yes, there is a newly found DoS vulnerability found in log4j 2.16....so more fixes for IBM products might be coming...but the DoS risk is of less severity than the stuff that was fixed with 2.16...so unsure how quickly next fix comes, if any. No updates to the non-upgrade fix as of yet. Stay tuned for latest updates. We'll update this post as needed.

Note IBM’s latest update on approach…

IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. Work continues on products that already have released a remediation based on Log4j 2.15 to remain current with additional Log4j 2.x patches. With so much active industry research on Log4j, mitigation and remediation recommendations will evolve. We are actively assessing the latest Log4j developments and will share updates accordingly.

Cognos Non-upgrade Patch - 8:00 PM ET on 12/16/2021

The IBM Cognos Analytics team has developed a “no-upgrade” option for our “On Prem” (local installation) customers. This patch is available as a .jar file and is included along with detailed instructions on how to execute. See: CA-11.x-Log4jSafeAgent

The single version of the patch is applicable to IBM Cognos Analytics versions 11.0.6 to 11.0.13 FP4, 11.1.x, and 11.2.x.The log4jSafeAgent.jar, issued by IBM Cognos Analytics, will modify the class code to remove the vulnerable JNDI lookup functionality without installation impact to the IBM Cognos Analytics product. It effectively rewrites the “org/apache/logging/log4j/core/lookup/JndiLookup” class to remove its content during IBM Cognos Analytics start up. https://www.ibm.com/support/pages/node/6526474

Cognos Remediation - 7:00 PM ET on 12/15/2021

The anticipated security bulletin identifying log4j vulnerability and corresponding fix(es) for Cognos Analytics has arrived. Read the full text here. IBM singles out the Long Term Support releases of Cognos 11.0.x and 11.1.x for now, plus the latest 11.2.x release, with interim fixes for:

Applying the most recent security update is strongly recommended. For on prem installations not in line with the versions above, IBM will be working to release a non-upgrade patch in lieu of updating. For customers using Cognos Analytics Cloud or Cloud Hosted instances, remediation is in progress. Please contact us if you need PMsquare to support you through these critical steps.

PAW Remediation - 12/15/2021

The IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by the Log4j security vulnerability and a patch has been developed. Specifically, IBM Planning Analytics Workspace 2.0.57 and higher are affected. If you have one of the listed affected versions, it is strongly recommended that you apply the most recent security update: Download IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 71 from Fix Central. Note, IBM Planning Analytics on Cloud has already been patched by IBM.

Products Not Impacted - 9:15 AM ET on 12/15/2021

IBM’s initial analysis has determined a list of IBM products that are not susceptible to the Log4j 2.x CVE-2021-44228 vulnerability. This list is not final. Additional IBM Z products are listed in the IBM Z Security Portal. Click here for the list.

Vulnerability Update - 4:14 PM ET on 12/14/2021

Looks like those trying to build patches have their hands full trying to hit a moving target. Just today, another vulnerability was found and the Apache Log4j 2.15.0 fix was deemed incomplete in certain configurations. So, Apache rolled out another fix in 2.16.0. Stay tuned.

Take These Actions

At this time, IBM recommends organizations running Apache Log4j take the following actions:

  • Check for vulnerable versions of Apache Log4j in your environments and applications.

  • Implement latest patch to production environments as soon as possible.

  • Monitor IBM PSIRT for security bulletins

  • Monitor for vendor patches as they become available

Helpful Resources

Below are a few helpful resources to better understand, help manage concerns, and eventually address issues:

Check back in!

PMsquare will continue to monitor IBM’s progress and will update this blog post as more information becomes available. Get ready for some patching!

Next Steps

We hope you found this article informative. Be sure to subscribe to our newsletter for data and analytics news, updates, and insights delivered directly to your inbox.

If you have any questions or would like PMsquare to provide guidance and support for your analytics solution, contact us today.