If you are unable to create a new account, please email support@bspsoftware.com

 

Security Bulletin: Cognos Analytics: Apache log4j Vulnerability (CVE-2021-44228)

Started by Stevo, 16 Dec 2021 03:35:00 AM

Previous topic - Next topic

Stevo

Hi All,
From the link provided by IBM
https://www.ibm.com/support/pages/node/6526474?myns=swgimgmt&mynp=OCSSTSF6&mync=E&cm_sp=swgimgmt-_-OCSSTSF6-_-E
it implies that the interim fix can be applied to various release versions of the software.  But on closer inspection it appears that it's directed only at the long-term releases or the current release of 11.2.1
Do you agree that the interim fix is only applicable to the long-term release versions.  We have clients on v11.0.7 for example, which would mean two rounds of upgrades to get the solution implemented...

Regards, Stephen

dougp

Yes, it's LTS.  The document specifically identifies 11.2.1, 11.1.7, and 11.0.13.

napster_gr8

Hi all,

Do we have any information about similar vulnerabilities on previous versions of IBM Cognos (specifically IBM Cognos 10.2.2).

Regards,
Naps

oscarca

Does Framework Manager have to be reinstalled with the same patch or is it not affected?

dougp

Two things to consider:

  • Cognos uses Java
  • IBM provided a client install with 11.1.7IF6

I'd recommend keeping the server and client versions the same.  So, yes, upgrade Framework Manager.

oscarca

Thanks Doug!
And yes I know its recommended to keep the client and server with the same version but they were already 11.1.7 but was curious to know if the patch fix should be applied to framework manager aswell i.e. If LOG4J was used there aswell.