Security Bulletin: Cognos Analytics: Apache log4j Vulnerability (CVE-2021-44228)

[Stevo]

Hi All,
From the link provided by IBM
https://www.ibm.com/support/pages/node/6526474?myns=swgimgmt&mynp=OCSSTSF6&mync=E&cm_sp=swgimgmt-_-OCSSTSF6-_-E
it implies that the interim fix can be applied to various release versions of the software.  But on closer inspection it appears that it's directed only at the long-term releases or the current release of 11.2.1
Do you agree that the interim fix is only applicable to the long-term release versions.  We have clients on v11.0.7 for example, which would mean two rounds of upgrades to get the solution implemented...

Regards, Stephen

[dougp]

Yes, it's LTS.  The document specifically identifies 11.2.1, 11.1.7, and 11.0.13.

[napster_gr8]

Hi all,

Do we have any information about similar vulnerabilities on previous versions of IBM Cognos (specifically IBM Cognos 10.2.2).

Regards,
Naps

[oscarca]

Does Framework Manager have to be reinstalled with the same patch or is it not affected?

[dougp]

Two things to consider:

• Cognos uses Java
• IBM provided a client install with 11.1.7IF6

I'd recommend keeping the server and client versions the same.  So, yes, upgrade Framework Manager.

[oscarca]

Thanks Doug!
And yes I know its recommended to keep the client and server with the same version but they were already 11.1.7 but was curious to know if the patch fix should be applied to framework manager aswell i.e. If LOG4J was used there aswell.