Lucene search

K
ibmIBM990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24
HistoryApr 20, 2022 - 7:29 p.m.

Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-45046)

2022-04-2019:29:59
www.ibm.com
132

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

Summary

IBM Cognos Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Analytics as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-45046) vulnerability. IBM Cognos Analytics has upgraded Apache Log4j to v2.16. This update also addresses CVE-2021-44228. Please note that this Security Bulletin has been superseded by Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerabilities (CVE-2021-45105, CVE-2021-44832). See References section below.

Vulnerability Details

CVEID:CVE-2021-45046
**DESCRIPTION:**Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

IBM Cognos Analytics 11.2.x

IBM Cognos Analytics 11.1.x

IBM Cognos Analytics 11.0.6 to 11.0.13 FP4

Remediation/Fixes

Two links have been provided for each Interim Fix. The majority of clients will access the Interim Fix via the link under Fix Version. For clients who have IBM Cognos Analytics by way of another product such as IBM Planning Analytics, IBM Cognos Controller, IBM OpenPages, etc. you will access the Interim Fix via the link under the Bundled Customers.

Affected Version

|

Fix Version

|

Bundled Customers

—|—|—

IBM Cognos Analytics 11.2.x

|

IBM Cognos Analytics 11.2.1 Interim Fix 3

|

IBM Cognos Analytics 11.2.1 Interim Fix 3 (Bundled)

IBM Cognos Analytics 11.1.x

| IBM Cognos Analytics 11.1.7 Interim Fix 9 | IBM Cognos Analytics 11.1.7 Interim Fix 9 (Bundled)

IBM Cognos Analytics 11.0.6 to 11.0.13 FP4

|

IBM Cognos Analytics 11.0.13 Interim Fix 5

|

IBM Cognos Analytics 11.0.13 Interim Fix 5 (Bundled)

CVE-2021-45046 and CVE-2021-44228 have been remediated on all IBM Cognos Analytics on Cloud environments.

Workarounds and Mitigations

The IBM Cognos Analytics team have developed a “no-upgrade” option for our “On Prem” (local installation) customers.

The single version of the patch is applicable to IBM Cognos Analytics versions 11.0.6 to 11.0.13 FP4, 11.1.x and 11.2.x.

The log4jSafeAgent file that is provided for Cognos Analytics modifies the class byte code at the Java startup time. It removes the vulnerable JNDI lookup, and enforces the StrSubstitutor recursion limit without altering the installed product.

It effectively rewrites the “org/apache/logging/log4j/core/lookup/JndiLookup” class to remove its content during IBM Cognos Analytics start up.

To get the patch and detailed instructions, click this link: log4jSafeAgent

Bundle Customers can use the following link: log4jSafeAgent Bundled

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

Related for 990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24