Is the Log4j security flaw present in Cognos Analytics version 11.1.7? If it is will there be a patch released by IBM?

I'm wondering the same thing Chris, but I'm thinking it is. IBM hasn't released a security bulletin re: Cognos of time of writing this. But the file log4j-core-2.7.jar is present in the cognos/analytics/bin directory

https://www.ibm.com/support/pages/node/6526474?myns=swgimgmt&mynp=OCSSTSF6&mync=E&cm_sp=swgimgmt-_-OCSSTSF6-_-E

This came out last night. However, the Fix List for 11.0.13 FP3 doesn't appear to include any changes related to this CVE, so this is all very unclear and quite concerning. Also, as of today, it looks like log4j2-core v2.15, which was released in part to address the CVE, may still be vulnerable. So, if this fix just bumps the dependency version, it may not longer be a complete fix either.

We need more from IBM.

Just to update on this:

Without proper release notes for the fix patch, it's hard to say if the only mitigation was to bump the dependency to 2.15. But, 2.15 is included in the files deployed by the fix patch. So, until we hear otherwise from IBM, we are operating as if the fix patch is still vulnerable, due to the new information regarding 2.16. If anyone has heard from IBM that they also disabled log4j message lookups, or completed a code review to ensure no log statements are vulnerable, please share.

Update: https://www.ibm.com/support/pages/node/6526474?myns=swgimgmt&mynp=OCSSTSF6&mync=E&cm_sp=swgimgmt-_-OCSSTSF6-_-E

As I understand the technique, this should be a comprehensive fix for the original RCE vulnerability in 2.15.