Cognos Analytics

 View Only
Expand all | Collapse all

log4j cve + cognos

  • 1.  log4j cve + cognos

    IBM Champion
    Posted Mon December 13, 2021 11:29 AM
    Edited by System Fri January 20, 2023 04:11 PM
    Hello Cognos Gurus,

    according to IBM information, one can mitigate the log4j problem by removing JndiLookup class from the log4j-core.jar

    Source: An update on the Apache Log4j CVE-2021-44228 vulnerability - IBM PSIRT Blog

    We have CA 11.1.7 (in /opt/IBM/crn0/) and 11.2.1 (in /opt/IBM/crn1) installed.

    The following command shows that only 11.2.1 is affected:
    root@:/opt/IBM : rm /tmp/log4j.txt; for i in `find ./ | grep -i "log4j-core-"`; do zip -v $i | grep -i "JndiLookup" > /tmp/foo.txt && { echo $i >> /tmp/log4j.txt; cat /tmp/foo.txt >> /tmp/log4j.txt; }; done; cat /tmp/log4j.txt
    ./cognos/crn1/wlp/usr/servers/cognosserver/workarea/org.eclipse.osgi/102/0/.cp/log4j-core-2.11.2.jar
    zip warning: undefined bits used in flags = 0x0808: org/apache/logging/log4j/core/lookup/JndiLookup.class
    ./cognos/crn1/wlp/usr/servers/dataset-service/workarea/org.eclipse.osgi/89/0/.cp/log4j-core-2.11.2.jar
    zip warning: undefined bits used in flags = 0x0808: org/apache/logging/log4j/core/lookup/JndiLookup.class
    ./WebSphere/AppServer/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-core-2.8.2.jar
    zip warning: undefined bits used in flags = 0x0808: org/apache/logging/log4j/core/lookup/JndiLookup.class
    ./WebSphere_09122021/AppServer/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-core-2.8.2.jar
    zip warning: undefined bits used in flags = 0x0808: org/apache/logging/log4j/core/lookup/JndiLookup.class
    Anyone using 11.1.7 should be safe.

    Hope that my conclusion is correct and helps you.

    *Update 14.12.2021 - 09:45 UTC*
    According to the reply below with link to https://github.com/mergebase/log4j-detector ... the JndiManage.class is affected as well.
    So, looking for Jndi inside any log4j*jar should imho reveal if the system is affected or not. 

    And yes, 11.1.5 and 11.1.7 are affected. :-( 

    root@:/opt/IBM/cognos/crn0 : zip -v -T ./bin/log4j-core-2.7.jar | grep -i "Jndi"
    testing: org/apache/logging/log4j/core/lookup/JndiLookup.class OK
    testing: org/apache/logging/log4j/core/net/JndiManager$1.class OK
    testing: org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class OK
    testing: org/apache/logging/log4j/core/net/JndiManager.class OK
    testing: org/apache/logging/log4j/core/selector/JndiContextSelector.class OK
    testing: org/apache/logging/log4j/core/util/JndiCloser.class OK
    root@:/opt/IBM/cognos/crn0 : cat cmplst.txt | grep -i product_version
    Product_version=11.1 R5
    According to avantum consult GmbH on LinkedIn: Sicherheitslücke in der Java-Bibliothek Log4javantum consult GmbH on LinkedIn: Sicherheitslücke in der Java-Bibliothek Log4j ... you can easily generate a canary token and paste it into the username, which will trigger the token. If that is the case, then your system is vulnerable. See link to canary tokens: Know. Before it matters 


    regards,
    Ralf

    ------------------------------
    Ralf Roeber
    https://linkedin.com/in/ralf-roeber-470425a/
    ------------------------------
    #CognosAnalyticswithWatson


  • 2.  RE: log4j cve + cognos

    Posted Mon December 13, 2021 03:52 PM
    I scanned several installations with https://github.com/mergebase/log4j-detector and found the vulnerable log4j in all of them, 11.0.13, 11.1.7 and 11.2.1. This script also checks for log4j hidden in other .jar archives, i found this useful on some DataStage installation where log4j is hidden in several "thirdparty.jar" archives.

    ------------------------------
    Sven Jansen
    ------------------------------

    Original Message


  • 3.  RE: log4j cve + cognos

    IBM Champion
    Posted Tue December 14, 2021 03:16 AM
    In the cmplst.txt, we have the following line (both in CA v11.1.7 and CA v11.2.1):
    LOG4J2_version=2.7.0-1.11 (vulnerable)

    Best regards,

    ------------------------------
    Patrick Neveu
    Positive Thinking Company
    ------------------------------

    Original Message


  • 4.  RE: log4j cve + cognos

    IBM Champion
    Posted Thu December 16, 2021 03:23 AM
    Hi,

    Good news from IBM with the following message from support:
    Security Bulletin: IBM Cognos Analytics: Apache log4j Vulnerability (CVE-2021-44228)

    Security updates are available for :
    Cognos Analytics v11.0.13
    Cognos Analytics v11.1.7
    Cognos Analytics v11.2.1

    Best regards,

    ------------------------------
    Patrick Neveu
    Positive Thinking Company
    ------------------------------

    Original Message


  • 5.  RE: log4j cve + cognos

    Posted Thu December 16, 2021 04:51 AM
    Hi, 

    Can the IF6 fix be installed on any 11.1.7  FP ? (FP3 for e.g.)
    or do we need first to install the FP4 and then the IF6?

    Thanks!
    Regards,
    Jean-Pierre

    ------------------------------
    Jean-Pierre CLEF
    ------------------------------

    Original Message


  • 6.  RE: log4j cve + cognos

    IBM Champion
    Posted Thu December 16, 2021 05:04 AM

    Hi,

    i assume that IF6 will include all fixes from FP4 but a confirmation from IBM would be much appreciated. I hope one of the technical experts can chime in quickly.
    Br



    ------------------------------
    Robert Dostal
    Team Leader BI
    GEMÜ
    Ingelfingen
    ------------------------------

    Original Message


  • 7.  RE: log4j cve + cognos

    Posted Thu December 16, 2021 05:43 AM
    Interim fix 6 files downloaded.can I use the same analytics-installer-2.2.11-win.exe to run this if 6 files ? 

    Thanks,
    Veera



    Original Message


  • 8.  RE: log4j cve + cognos

    Posted Thu December 16, 2021 06:16 AM
    Yes.

    ------------------------------
    Sven Jansen
    IT Specialist
    valantic Business Analytics GmbH
    ------------------------------

    Original Message


  • 9.  RE: log4j cve + cognos

    Posted Thu December 16, 2021 03:11 PM
    we tried to install the interim fix using 2.2.11 installer on windows. it wiped out most of the folders. Does anybody else experienced the same issue?



    ------------------------------
    Oleg Nevedrov
    ------------------------------

    Original Message


  • 10.  RE: log4j cve + cognos

    Posted Fri December 17, 2021 09:33 AM
    We managed to install IF6 and it contains LOG4J2 2.15.0-1.2.

    we had hanged process which locked one library and install crashed deleting most of the folders. Luckily, it was sandbox on VM.

    ------------------------------
    Oleg Nevedrov
    ------------------------------

    Original Message


  • 11.  RE: log4j cve + cognos

    Posted Thu December 16, 2021 10:48 AM
    Great to finally get an update. If you are on version 11.0.6, do you need to upgrade to 11.0.13 in order to apply 11.0.13 interim fix 3?
    Similarly for the other versions?

    ------------------------------
    Paul Bierman
    ------------------------------

    Original Message


  • 12.  RE: log4j cve + cognos

    Posted Thu December 16, 2021 02:03 PM
    IBM told me this:

    "... IF6 addresses CVE-2021-44228 only, which is more severe, and this issue is resolved in IF6.

    CVE-2021-45046 is being treated as a separate concern and IBM Development is still investigating. This is what the scan found, and that is expected at that time. There will be an additional fix for that.

    So installing IF6 is recommended for environments that must get the critical issue CVE-2021-44228 fixed ASAP.

    Once the fix for CVE-2021-45046 becomes available, it will also include the fix for CVE-2021-44228. So environments that could wait for the next fix would need to be upgraded only once for the next interim fix."


    So, we're waiting for the final fix. We're a small shop with Cognos behind the firewall. We don't have the luxury of doing this twice if we can help it


    Mike





    Original Message


  • 13.  RE: log4j cve + cognos

    Posted Tue December 14, 2021 03:16 AM
    Hi Ralf

    Which Fixpack do you need  to be safe using 11.1.7 ?

    Regards,
    Jean-Pierre

    ------------------------------
    Jean-Pierre CLEF
    ------------------------------

    Original Message


  • 14.  RE: log4j cve + cognos

    Posted Tue December 14, 2021 03:43 AM
    Hello Ralf and All -  If you read this Tech Note from IBM I believe it indicates the "temporary fix" Ralf looked at would only apply to certain versions of Log4j, and not the one installed with 11.1.7.(e.g. In releases >=2.10)
    https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

    We have opened a ticket, currently on 11.1.7 FP3 and are advised that IBM will be releasing a fix pack with Log4j version 15 patched shortly.
    HTH
    Shawn

    ------------------------------
    Shawn Lamson
    ------------------------------

    Original Message


  • 15.  RE: log4j cve + cognos

    IBM Champion
    Posted Tue December 14, 2021 04:47 AM
    Updated message above ... my command was not accurate enough. 11.x are affected.

    ------------------------------
    Ralf Roeber
    https://linkedin.com/in/ralf-roeber-470425a/
    ------------------------------

    Original Message


  • 16.  RE: log4j cve + cognos

    Posted Tue December 14, 2021 08:33 AM
    IBM is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam). We are investigating and taking action for IBM as an enterprise, IBM products and IBM services that may be potentially impacted, and will continually publish information to help customers detect, investigate and mitigate attacks, if any, to their IBM products and services.

    Please watch this blog for further updates -
    https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

    ------------------------------
    Laura Knowles
    Program Director, Global Cognos Analytics Support
    Data and AI
    IBM
    laura.knowles@ca.ibm.com
    ------------------------------

    Original Message


  • 17.  RE: log4j cve + cognos

    IBM Champion
    Posted Wed December 15, 2021 11:46 AM
    Hi Laura

    Any news from IBM, our Clients are waiting impatiently to get an update.


    Rikke Jacobsen

    CEO

    E-mail: rijac@cognitech.dk

    CogniTech A/S · Overgade 21, 1. sal · 7400 Herning



    ------------------------------
    Rikke Jacobsen
    CEO
    CogniTech A/S
    Herning
    +4520859352
    ------------------------------

    Original Message


  • 18.  RE: log4j cve + cognos

    Posted Tue December 14, 2021 09:31 AM
    Hi all,

    We have Cognos 11.1.7 and use IIS as our web server, I think the gateway uses ISAPI.

    I'm pretty sure that means we're in the clear regarding the Apache vulnerability

    I'm not an expert on this. Any thoughts?

    Thanks

    Michael

    --
    Michael Sullivan
    978 762 4218
    North Shore Community College



    Original Message


  • 19.  RE: log4j cve + cognos

    Posted Wed December 15, 2021 08:36 AM
    Hi Michael - We are in a similar situation/configuration.  Currently I don't think are any guaranteed mitigation steps and you are vulnerable.  There has been a new advisory posted and now it is recommended to upgrade to Apache 2.16.0.  We are waiting word from IBM on next steps for Cognos 11.1.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

    Regards,
    Shawn

    ------------------------------
    Shawn Lamson
    ------------------------------

    Original Message


  • 20.  RE: log4j cve + cognos

    Posted Wed December 15, 2021 09:21 AM

    Hi all,

    Thank you to anyone who took the time to respond!

    Maybe it would help us or others to offer a few more details and thoughts – thoughts appreciated

    1.       Cognos for us is behind the firewall requiring VPN or on-premise access

    a.       So Cognos is less critical for us to handle then some public facing systems

    2.       Cognos for us uses Microsoft IIS as its web server and Microsoft asserts its own products don't use LOG4J  - another plus

    3.       Cognos for us is set up to use SSO from IIS. That means this (see Administration and Installation Guide):

    a.       ... Click Add Module Mapping in the right Actions pane. • Request path is cisapi. • Module is IsapiModule. • Executable is install_location\cgi-bin\cognosisapi.dll

    b.       Meaning, I think, as I said, that our gateway program is ISAPI

    4.       We connect to Oracle for content and as the content store

    5.       We connect to Active Directory for authentication

    My thoughts are therefore these:

    1.       Need to look to see if the Oracle drivers and client use LOG4J

    2.       Need to determine if the connection to Active Directory is a problem (I'm told it is not a problem from the Active Directory side)

    3.       Need IBM to release a hot fix that we will install

    a.       Because LOG4J can be used in any Java application not just a web server, and it IBM apparently (?) may have used it internally in Cognos

    4.       Our system administrators need to look at whatever else may be on the Windows Server 2016 that hosts Cognos

    Thanks again

    Mike


    --
    Michael Sullivan
    978 762 4218
    North Shore Community College



    Original Message


  • 21.  RE: log4j cve + cognos

    Posted Mon January 10, 2022 01:03 PM
    Michael Sullivan and the rest of the IBM Gurus,

    As required by IBM, our campus also runs the "IMLT - Big Fix Server" that tracks all of our Cognos logging to make sure that we don't exceed our IBM licensing quotas.  Our security scan just identified this server as having the Apache log4j vulnerability.  I'm unable to find any documentation on remediation for this IBM product.  Can anyone point to documentation for remediation steps?

    Your assistance is appreciated.  

    Jeanie

    PS - Thank you Michael for your log4j analysis outline.  It was very helpful.

    ------------------------------
    Jeanie Krieger
    Business Analyst
    California State University, Sacramento
    Sacramento CA
    ------------------------------

    Original Message


  • 22.  RE: log4j cve + cognos

    Posted Mon January 10, 2022 01:23 PM
    Hi Jeanie,

    I believe that IBM still has not fully resolved the LOG4J vulnerabilities (e.g. pertaining to logging done internally within Cognos via the LOG4J Java module). We have a ticket open with them to notify us when they do. Specifically, I believe CVE-2021-45105 LOG4J is still waiting for resolution. They view this as a lower priority (a less serious vulnerability than the problems resolved to date).

    In the meantime, not wanting to wait any longer, we installed the remediations that IBM has released. In our case, that meant advancing to the latest 11.1.7 fixpack which includes the vulnerability fixes and many other defect corrections. The download for us included three files: one for the BI Server, one for the client (Framework Manager in our case) and the installer. 

    I believe IBM also released just the actual fix for the remediations it has completed to date (so that you needn't upgrade to the latest fixpack).

    IBM has been very helpful to me whenever I've opened tickets. You might do that if it is unclear what to do

    Hope this helps. 

    Michael



    --
    Michael Sullivan
    978 762 4218
    North Shore Community College



    Original Message


  • 23.  RE: log4j cve + cognos

    Posted Mon January 10, 2022 04:22 PM

    I would refer you to the PSIRT Blog where IBM posts all their security advisory messages.

     

    Here are the results for search on "cognos" :

    https://www.ibm.com/blogs/psirt/?s=cognos




    Original Message


  • 24.  RE: log4j cve + cognos

    IBM Champion
    Posted Tue January 11, 2022 02:33 AM
    Hi Jeanie,

    I found this article on the IBM website and followed their instructions. I've upgrade all componentns of our ILMT server easily (depends on your prev version though).
    https://www.ibm.com/support/pages/node/6525762

    Br

    ------------------------------
    Robert Dostal
    Team Leader BI
    GEMÜ
    Ingelfingen
    ------------------------------

    Original Message


  • 25.  RE: log4j cve + cognos

    Posted Thu December 16, 2021 09:09 AM
    It appears as of 7pm yesterday IBM marked all 11.x versions as affected and put out interim fix packs

    https://www.ibm.com/support/pages/node/6526474

    ------------------------------
    Chris Stadler
    ------------------------------

    Original Message


  • 26.  RE: log4j cve + cognos

    Posted Thu December 16, 2021 09:44 AM
    IBM support confirmed that Cognos Analytics 11.1.7 Interim Fix 6 supports the CA 11.1.7 fix pack 2 versions.

    ------------------------------
    Ramanujam Rajagopal
    ------------------------------

    Original Message


  • 27.  RE: log4j cve + cognos

    Posted Thu December 16, 2021 10:07 AM
    Unfortunately, the interim fix uses Log4j 2.15 but Apache already posted on Dec 13th (https://logging.apache.org/log4j/2.x/) that 2.15 doesn't fix the vulnerability completely and instead 2.16 has to be used. I guess we need to continue the wait till IBM releases another IF with 2.16. 

    Regards,

    ------------------------------
    Kiran Passumarthi
    www.linkedin.com/in/kiranpassumarthi
    ------------------------------

    Original Message


  • 28.  RE: log4j cve + cognos

    Posted Thu December 16, 2021 10:13 AM
    This is also being discussed in this community thread: 
    Log4j exploit and security alert | Planning Analytics with Watson (ibm.com)

    ------------------------------
    Kasper Dueholm
    ------------------------------

    Original Message


  • 29.  RE: log4j cve + cognos

    Posted Fri December 17, 2021 09:44 AM
    So is there any consensus among users?  At this point it seems like Cognos Analytics and TM1 users are waiting for word from IBM that CVE-2021-45046 is addressed before going back to "normal" usage.  That assumes they have installed the latest version patch and taken any other recommended "mitigation steps".  Is my analysis correct?  We assume IBM is still hard at work trying to address this Log4j vulnerability!  And we are waiting and losing patience!

    Shawn

    ------------------------------
    Shawn Lamson
    ------------------------------

    Original Message


  • 30.  RE: log4j cve + cognos

    Posted Fri December 17, 2021 02:36 PM
    Hi

    Does anyone know how to run the fix?
    casrv-11.2.1-2112131054-winx64h
    Once extracted, you get 3 folders 

    • apacheds
    • com
    • edu
    • manifest

    and I can seem to find any setup or EXE or any documentation 

    Cheers

    ------------------------------
    Mig Garcia
    ------------------------------

    Original Message


  • 31.  RE: log4j cve + cognos

    Posted Fri December 17, 2021 03:57 PM
    Hi Mig - You need to use the installer for whatever version you are on, for your example use the same installer you used to install 11.2, but when prompted point it to this IF file.  I recommend getting a full backup prior to running the installer, I've seen and heard problems where it fails and rolls back, and deletes all of your files.

    Shawn

    ------------------------------
    Shawn Lamson
    ------------------------------

    Original Message


  • 32.  RE: log4j cve + cognos

    Posted Fri December 17, 2021 04:49 PM

    Great Shawn

     

    Thanks for the information

     

    Cheers

     

     

     

    Miguel Garcia

    Senior BI Consultant - Information, Intelligence & Technical Innovation

    William Osler Health System

    Email – Miguel.Garcia@williamoslerhs.ca

    Office ▪ 905.494.2120 ext. 29293 |

    Peel Memorial Centre, 20 Lynch St, Brampton, ON L6W 2Z8

     

    image001.png@01D59E21.870CCC90

     

    This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal.



    Original Message


  • 33.  RE: log4j cve + cognos

    Posted Fri December 17, 2021 04:24 PM
    Hi,

    We installed workaround for no upgrade solution in our lower environment to try out and since that update none o four DQM packages are working. We are getting "XQE error encountered: DPR-ERR-2002 Unable to execute the request because there were no connections to the process available within the configured time limit." error on all our reports/packages. 
    Any one have any idea or faced similar issue. We are using 11.2.0 
    Let me know.

    Thank you.

    - Siddharth Shah

    ------------------------------
    Siddharth Shah
    ------------------------------

    Original Message


  • 34.  RE: log4j cve + cognos

    Posted Mon December 20, 2021 09:31 AM
    Hi Siddharth,  

    We also did the work around and had the same issue.  We found that we left an extra " in the xml code.  We ended up throwing the code into notepad ++ and the new code we added showed up in red.  Once we corrected the issue, things worked great.

    ------------------------------
    Sean Bertoux
    ------------------------------

    Original Message


  • 35.  RE: log4j cve + cognos

    Posted Mon December 20, 2021 10:16 AM
    Hi Sean,

    Thank you for the prompt reply and fix. I checked the file using Notepad ++ and saw the code in red. Fixed the extra " and it works as expected now.
    Thank you for your help.

    ------------------------------
    Siddharth Shah
    ------------------------------

    Original Message


  • 36.  RE: log4j cve + cognos

    Posted Tue December 21, 2021 01:06 AM
    Edited by System Fri January 20, 2023 04:26 PM

    Hi Siddarth,

    Please confirm whether you did the workaround in all installations like cm, disp and gateway?

    Also please confirm after you created the xqe.config.custom file, did you kept the original xqe.config file or you deleted that? Because for us after applying the workaround when we start the services, its not starting and so we reverted back.

    Thanks



    ------------------------------
    Harie
    ------------------------------

    Original Message


  • 37.  RE: log4j cve + cognos

    Posted Tue December 21, 2021 07:35 AM
    Hi all,

    I have applied interim fix 6 but it did not removed the JndiLookup.class from the 'log4j-core-2.15.0.jar'. it updates the log4j version from 2.7 to 2.15.

    So I tried applying the workaround and mitigation this morning but I get an error when starting the dispatcher.  CFG-ERR-0106.
    Anyone has faced this issue? 

    Note: I compared the files bootstrap_wlp_os_version.xml and xqe.config.custom.xml in content manager and dispatcher and both file matches. But content manager started without an error but dispatcher brings startup error.

    Also validation in p2pd_messages.log file did not has the search item specified in the instructions docx .



    Any suggestions?

    Thanks,
    Veera




    Original Message


  • 38.  RE: log4j cve + cognos

    Posted Mon December 20, 2021 10:03 AM
    We have installed the interim fix 1 for 11.2.1 for the Apache log4j Vulnerability (CVE-2021-44228).
    But there are 2 new vulnerabilities CVE-2021-45046 and CVE-2021-45105. Is IBM also working to fix these issues with a patch and when can we expect a fix?

    ------------------------------
    Thomas van der Meer
    ------------------------------

    Original Message


  • 39.  RE: log4j cve + cognos

    Posted Mon December 20, 2021 01:01 PM
    Hi Team,
    Can anyone from Product Management confirm on the ETA for the fix which inlcude 2.17 version of log4j? We have customers from Banking domain who are shutting down cognos application and expecting an update.
    Can you please help?
    Thanks!

    ------------------------------
    Dhanush
    ------------------------------

    Original Message


  • 40.  RE: log4j cve + cognos

    Posted Mon December 20, 2021 01:40 PM
    Edited by System Fri January 20, 2023 04:09 PM
    Hello,

    The same patch work with PowerPlay Studio ?

    ------------------------------
    Jerzy Konarski
    ------------------------------

    Original Message


  • 41.  RE: log4j cve + cognos

    Posted Tue December 21, 2021 01:19 AM
    Edited by System Fri January 20, 2023 04:22 PM
    This seems to be an open ended question at this point and IBM is only asking us to look at the bulletin!!! Unofficially on social platforms like LinkedIn few IBMers are saying these fixes cover 2.16 and now 2.17 as well and I am not sure why IBM doesn't say that officially if that's true. I think more than the fix itself it is the proper communication or lack of it thereof that is hurting the community. Our customer security teams are not accepting unofficial communications and we owe a proper response to them than just saying we are waiting on IBM!!!

    Regards,

    ------------------------------
    Kiran Passumarthi
    www.linkedin.com/in/kiranpassumarthi
    ------------------------------

    Original Message


  • 42.  RE: log4j cve + cognos

    Posted Tue December 21, 2021 01:29 AM
    Can someone explain what the "bundled" IF7 fix for 11.1.3 "Bundled Customers" is in relation to the previous IF6 for 11.1.7?

    Here is what the table looks likes:

    Affected Version

    Fix Version

    Bundled Customers

    IBM Cognos Analytics 11.2.x

    Cognos Analytics 11.2.1 Interim Fix 1

     

    IBM Cognos Analytics 11.2.1 Interim Fix 2 (Bundled)

    IBM Cognos Analytics 11.1.x

     

    Cognos Analytics 11.1.7 Interim Fix 6

     

    IBM Cognos Analytics 11.1.7 Interim Fix 7 (Bundled)

    IBM Cognos Analytics 11.0.6 to 11.0.13 FP4

     

    Cognos Analytics 11.0.13 Interim Fix 3

     

    IBM Cognos Analytics 11.0.13 Interim Fix 4 (Bundled)    

    At first I thought maybe it was an installer bundled with the server install, but that doesn't seem to fit: https://www.ibm.com/support/pages/node/6526474?myns=swgimgmt&mynp=OCSSTSF6&mync=E&cm_sp=swgimgmt-_-OCSSTSF6-_-E

    Shawn

    ------------------------------
    Shawn Lamson
    ------------------------------

    Original Message


  • 43.  RE: log4j cve + cognos

    Posted Tue December 21, 2021 01:37 AM
    I see now they have notes on the ammended content: 

    Change History

    21 Dec 2021: Added Bundled Customer links to Remediation/Fixes section .

    I still don't know what a "Bundled Customer" is though!

    Shawn



    ------------------------------
    Shawn Lamson
    ------------------------------

    Original Message


  • 44.  RE: log4j cve + cognos

    Posted Tue December 21, 2021 03:01 AM
    OK - Maybe I am answering my own questions here, but if I click the link in the Security Bulletin I see the target URL includes this:

    product=ibm/Information+Management/Cognos+8+Business+Intelligence&release=All&platform=All&function=fixId&fixids=11.1.7-BA-CA-BNDL-IF007

    but it throws an error saying I am requiring something "restricted" and I don't have access - though I am signed in.

    So, I wound up browsing Fix Central I see that yes there appears to be an IF 7 out for CA 11.1.7, which mentions one of the new CVE's!

    https://www.ibm.com/support/pages/node/6525664

    Abstract

    A security vulnerability has been addressed in IBM Cognos Analytics 11.1.7 Interim Fix 7.

    Download Description

    IBM Cognos Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Analytics as part of its logging infrastructure. This Interim Fix addresses the exposure to the Apache Log4j (CVE-2021-44228) and (CVE-2021-45046) vulnerability.

    Please refer to the following Security Bulletins for more details.

    Security Bulletin (CVE-2021-44228)
    Security Bulletin (CVE-2021-45046)

    Happy Hunting!

    Shawn

    ------------------------------
    Shawn Lamson
    ------------------------------

    Original Message


  • 45.  RE: log4j cve + cognos

    Posted Tue December 21, 2021 11:04 AM
    the patches include new "feature" for 11.7 customers, which suggest you to upgrade to 11.2.1

    https://www.ibm.com/support/pages/apar/PH39405

    Error description

    • XQE-DAT-0001 Data source adapter error in reports that use a
data module and data sets that include a left join.

    Local fix

    • 

      

      • 

    

    Problem summary
    

      

    • 

      ****************************************************************
* USERS AFFECTED:                                              *
* All Users                                                    *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* See Error Description                                        *
****************************************************************
* RECOMMENDATION:                                              *
* Upgrade to IBM Cognos Analytics 11.2.1                       *
****************************************************************
Configuration Instructions:

A new capability is added called joins.BracketInner which
impacts Native SQL generation. If the property is set to true,
grouped inner joins will be bracketed. The property is by
default false, and is set to true for Flint in Flint.properties

      

      • 



    ------------------------------
    Oleg Nevedrov
    ------------------------------

    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            46.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Wed December 22, 2021 10:03 AM
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                Hi Shawn,

    Were you able to download the new fix?
    I am also getting same "Access Denied" error while downloading.

    Thanks,
    Astha

    ------------------------------
    Astha Sinha
    ------------------------------

    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            47.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Wed December 22, 2021 10:06 AM
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                
    Yes, I accessed Fix Central and browsed.

    Shawn

     DISCLAIMER: This email and any files transmitted with it are intended solely for the person or the entity to whom they are addressed and may contain information which is Confidential and Privileged. Any misuse of the information contained in this email, including but not limited to retransmission or dissemination of the said information by person or entities other than the intended recipient is unauthorized and strictly prohibited. If you are not the intended recipient of this email, please delete this email and contact the sender immediately.



    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            48.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Wed December 22, 2021 10:10 AM
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                
     
    Hi
     
     
     
    Had the same issue, reached out to Software support
     
    The next day, I got access to the fix
     
     
     
     
     
     
     
     
     
     
    Miguel Garcia 
     
    Senior BI Consultant - Information, Intelligence & Technical Innovation 
     
    William Osler Health System
     
    Email – Miguel.Garcia@williamoslerhs.ca
     
    Office ▪ 905.494.2120 ext. 29293 | 
     
    Peel Memorial Centre, 20 Lynch St, Brampton, ON L6W 2Z8
     
     
     
    image001.png@01D59E21.870CCC90
     
     
     



    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            49.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Wed December 22, 2021 09:54 AM
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                I asked the same question in my open case with support and here is what they said

    With regard to Bundle vs. Non-bundle, many customer install Cognos as a part of a bundle with other products such as PA, Open Pages. The bundled version accommodates those customers.

    ------------------------------
    Amy Rivito
    ------------------------------

    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            50.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Thu December 23, 2021 06:37 PM
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                
     
     
     
    Hi
     
     
     
    Did anyone have any issues installing the FIX
     
    Tried the IBM  Cognos Analytics 11.2.1 Interim Fix 2 (Bundled) on our dev (CA 11.2.0) and it wiped out my current Cognos/analytics files
     
    I have to re-install the whole application 
     
     
     
    Support was stumped and couldn't help
     
    Do you have any install docs by any changes
     
     
     
     
     
     
     
     
     
     
     
    Miguel Garcia 
     
    Senior BI Consultant - Information, Intelligence & Technical Innovation 
     
    William Osler Health System
     
    Email – Miguel.Garcia@williamoslerhs.ca
     
    Office ▪ 905.494.2120 ext. 29293 | 
     
    Peel Memorial Centre, 20 Lynch St, Brampton, ON L6W 2Z8
     
     
     
    image001.png@01D59E21.870CCC90
     
     
     
     This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information  by a person other than the intended recipient is unauthorized and may be illegal.



    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            51.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Thu December 23, 2021 08:56 PM
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                
    I installed 11.1.7 interim fix 7 bundled version on our production. It takes more time to execute the report. 


    Thanks.
    Ram,
    Senior Applications. Systems Administrator,
    Applications & Architect Services, ITS 
    Boston College
    617-552-1689



    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            52.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Thu December 23, 2021 09:19 PM
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                
     
    Thanks Ram
     
     
     
    Went thru the install phases
     
    First try
     
    I got to the 'Pre-installation Summary'
     
    Froze for about 10 mins and got an error, odd dialogue box saying someone was still connected
     
     
     
    Tried again, and now I can't get past 'Location' as my folder was expunged
     
     
     
     
     
    Miguel Garcia 
     
    Senior BI Consultant - Information, Intelligence & Technical Innovation 
     
    William Osler Health System
     
    Email – Miguel.Garcia@williamoslerhs.ca
     
    Office ▪ 905.494.2120 ext. 29293 | 
     
    Peel Memorial Centre, 20 Lynch St, Brampton, ON L6W 2Z8
     
     
     
    image001.png@01D59E21.870CCC90
     
     
     
     This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information  by a person other than the intended recipient is unauthorized and may be illegal.



    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            53.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Sun December 26, 2021 12:02 PM
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                Mig,

    Not sure if you happen to be installing on Windows but in our Linux environment I noticed the installation gets killed in the middle of installing files. I did not kill it.

    

    Preparing to install
    

    Extracting the JRE from the installer archive...
    

    Unpacking the JRE...
    

    Extracting the installation resources from the installer archive...
    

    Configuring the installer for this system's environment...
    

    Launching installer...
    

    Killed

    
It seems, at least on Linux, the installer is broken for 11.2.1 interim fix 2. Perhaps it is also on Windows and you just don't see the error behind the UI.

    ------------------------------
    Robert Hofstetter
    ------------------------------

    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            54.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Sun December 26, 2021 01:00 PM
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                
     
    Thanks Rob
     
     
     
    Sounds like what happened to me but it's on Windows
     
    I should have had an Image taken just in case of this kind of failure
     
    We have been doing quite a lot of Windows and SQL updates in the past month without a glitch, doesn't look well for IBM 
     
     
     
     
     
     
     
     
    Miguel Garcia 
     
    Senior BI Consultant - Information, Intelligence & Technical Innovation 
     
    William Osler Health System
     
    Email – Miguel.Garcia@williamoslerhs.ca
     
    Office ▪ 905.494.2120 ext. 29293 | 
     
    Peel Memorial Centre, 20 Lynch St, Brampton, ON L6W 2Z8
     
     
     
    image001.png@01D59E21.870CCC90
     
     
     



    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            55.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Mon December 27, 2021 06:19 AM
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                Hi Team,
    Any update with respect to CVE-2021-45105?
    Thanks!

    ------------------------------
    Dhanush
    ------------------------------

    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            56.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Mon December 27, 2021 02:55 PM
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                Hi, everyone!

    It is very simple, just follow theses steps: https://www.ibm.com/support/pages/node/6526474

    Works very fine and it is not necessary do make an installation.

    ------------------------------
    JEAM COELHO
    Cognos Solution Architect

    LinkedIn: https://www.linkedin.com/in/jeamcoelho/
    ------------------------------

    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            57.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Tue December 28, 2021 02:50 AM
    Edited by System Fri January 20, 2023 04:21 PM    
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                Hi Jeam, 

    The link you posted doesn't resolve cve-2021-45105. We are all waiting, since IF was released with 2.16, for that cve to be resolved so as to apply 2.17 version of log4j2, which as per Apache, fixes all vulnerabilities. 

    Also, does anyone know if cve-2021-4104 is applicable to Cognos as we find log4j 1.2.x versions being used?

    Regards,

    ------------------------------
    Kiran Passumarthi
    www.linkedin.com/in/kiranpassumarthi
    ------------------------------

    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    • 
                
                    
  • 
			                                
                                
                                
    
                                    
    
                                        
    
                                            
                                            58.  
                                            RE: log4j cve + cognos
                                            
                                            
                                            
                                        
    
                                    
    
                                    
    
                                        
    
				
                                                
    
                                                    
    
					
        
        
        
        
        
        
        
            
        
    
				
    

                                                
    
                                            
			
    
                                    
    
                                
    
                                
                                

                                
    
                                    
    
                                        
                                    
    

                                    
    
				

                                        
    
                                            
    
                                                
    
                                                    
    
                                                        Posted Tue December 28, 2021 11:05 AM
                                                        
                                                    
    
                                                
    
                                            
    
                                            
    
                                                

                                                
                                            
    
                                        
    

                                        
    
                                            
    
                                                
     
    Hi
     
     
     
    Support pointed me to this fix casrv-11.2.1-2112172008
     
     
     
    IBM  Support: Fix Central - Download files using HTTPS
     
     
     
     
     
     
     
     
     
     
    Miguel Garcia 
     
    Senior BI Consultant - Information, Intelligence & Technical Innovation 
     
    William Osler Health System
     
    Email – Miguel.Garcia@williamoslerhs.ca
     
    Office ▪ 905.494.2120 ext. 29293 | 
     
    Peel Memorial Centre, 20 Lynch St, Brampton, ON L6W 2Z8
     
     
     
    image001.png@01D59E21.870CCC90
     
     
     



    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message
                                                
    
                                                
                                            
    
                                        
    

                                        
                                        

                                    
			
    

                                    
                                
    

                                
                                
    
                                
    
                            
		
    •