Log4j Mitigation - Removal of jndilookup class and IBM Patch upgrade option

[Cognos91]

Hello,
I am checking in to see if anyone performed the following -
First removed the jndilookup class from log4j-core-2.7.jar file  (as was indicated as an earlier mitigation)
(located under: ibm\cognos\analytics\wlp\usr\servers\cognosserver\workarea\org.eclipse.osgi\....
and \ibm\cognos\analytics\wlp\usr\servers\dataset-service\workarea\org.eclipse.osgi\....)
and then applied over-top-install of the security patch provided in Fix Central.

IBM support responded that they do not support this fix when a jar file is changed from within the configuration.

So just curious to see how many have had the mitigation applied first to the log4j file, and then applied the IBM patch that was released on Jan 10th?

[dougp]

Not really an answer...

What version of Cognos?

I've heard of problems with the manual mitigation, including causing problems for future upgrades/patches.

I upgraded from IBM Cognos Analytics 11.1.7IF1021 (so 11.1.7.2) to 11.1.7IF6 to 11.1.7IF8.  The upgrades were an upgrade-in-place of a single server install on Windows using an IIS gateway for SSO and using SSL.  Both upgrades went very smoothly.

[Cognos91]

@dougp
This is for version 11.0.13.
I am interested in understanding if removing the jndilookup class from the log4j-core-2.17.jar file would be enough.
If so, then which specific log4j-core-**.jar files should be looked into - as in specific locations within cognos install directory?

Does the above option still hold good? IBM support cannot verify nor confirm the same, even though the Apache log4j mitigation to remove the jndiLookup class was posted on their blog site.

So my questions are:
1. Does removing the jndiLookup class work and is it sufficient as a workaround now? Not all customers would want to run the upgrade patch.
2. If so, then what/ where are the locations from where these need to be removed from within the cognos directory?
3. If the above does not make sense at all, then can we run either the upgrade patch or non-upgrade patch after removing the jndiLookup class file?
4. Or rather, does simply running the upgrade or non-upgrade patch helps remove the jndilookup class?
5. Does the upgrade patch remove the log4j files? We have seen the log4j-core-** being installed when running the upgrade patch. Now, this jar file also contains the jndiLookup class within it. So, we are simply going by the assumption that this lookup class does not contain the security vulnerabilities.

Also, I am interested in the upgrade you applied on a single-server install using IIS for SSO and using SSL. Did you have to preserve the certs in a preserve.txt file? I am assuming you ran an over-the-top install upgrade.