Hello Cognos Gurus,
according to IBM information, one can mitigate the log4j problem by removing JndiLookup class from the log4j-core.jar
Source:
An update on the Apache Log4j CVE-2021-44228 vulnerability - IBM PSIRT BlogWe have CA 11.1.7 (in /opt/IBM/crn0/) and 11.2.1 (in /opt/IBM/crn1) installed.
The following command shows that only 11.2.1 is affected:
root@:/opt/IBM : rm /tmp/log4j.txt; for i in `find ./ | grep -i "log4j-core-"`; do zip -v $i | grep -i "JndiLookup" > /tmp/foo.txt && { echo $i >> /tmp/log4j.txt; cat /tmp/foo.txt >> /tmp/log4j.txt; }; done; cat /tmp/log4j.txt
./cognos/crn1/wlp/usr/servers/cognosserver/workarea/org.eclipse.osgi/102/0/.cp/log4j-core-2.11.2.jar
zip warning: undefined bits used in flags = 0x0808: org/apache/logging/log4j/core/lookup/JndiLookup.class
./cognos/crn1/wlp/usr/servers/dataset-service/workarea/org.eclipse.osgi/89/0/.cp/log4j-core-2.11.2.jar
zip warning: undefined bits used in flags = 0x0808: org/apache/logging/log4j/core/lookup/JndiLookup.class
./WebSphere/AppServer/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-core-2.8.2.jar
zip warning: undefined bits used in flags = 0x0808: org/apache/logging/log4j/core/lookup/JndiLookup.class
./WebSphere_09122021/AppServer/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-core-2.8.2.jar
zip warning: undefined bits used in flags = 0x0808: org/apache/logging/log4j/core/lookup/JndiLookup.class
Anyone using 11.1.7 should be safe.Hope that my conclusion is correct and helps you.
*Update 14.12.2021 - 09:45 UTC*According to the reply below with link to
https://github.com/mergebase/log4j-detector ... the JndiManage.class is affected as well.
So, looking for Jndi inside any log4j*jar should imho reveal if the system is affected or not.
And yes, 11.1.5 and 11.1.7 are affected. :-(
root@:/opt/IBM/cognos/crn0 : zip -v -T ./bin/log4j-core-2.7.jar | grep -i "Jndi"
testing: org/apache/logging/log4j/core/lookup/JndiLookup.class OK
testing: org/apache/logging/log4j/core/net/JndiManager$1.class OK
testing: org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class OK
testing: org/apache/logging/log4j/core/net/JndiManager.class OK
testing: org/apache/logging/log4j/core/selector/JndiContextSelector.class OK
testing: org/apache/logging/log4j/core/util/JndiCloser.class OK
root@:/opt/IBM/cognos/crn0 : cat cmplst.txt | grep -i product_version
Product_version=11.1 R5
According to
avantum consult GmbH on LinkedIn: Sicherheitslücke in der Java-Bibliothek Log4javantum consult GmbH on LinkedIn: Sicherheitslücke in der Java-Bibliothek Log4j ... you can easily generate a canary token and paste it into the username, which will trigger the token. If that is the case, then your system is vulnerable. See link to canary tokens:
Know. Before it matters regards,
Ralf
------------------------------
Ralf Roeber
https://linkedin.com/in/ralf-roeber-470425a/------------------------------
#CognosAnalyticswithWatson