Updated: Security Update for Apache Log4j CVE-2021-44228 Vulnerability
IBM has released a security update for the Apache Log4j CVE-2021-44228 vulnerability, as well as addressing the exposure to Apache Log4j CVE-2-21-45046 and CVE-2021-45105 in IBM Planning Analytics Workspace 2.0.
The vulnerability was reported on the 9th of December and outlined an acute remote code execution (RCE) vulnerability was reported in the Apache logging package Log4j 2 versions 2.14.1 and below (CVE-2021-44228).
What is the issue?
Apache Log4j is the most popular java logging library with over 400,000 downloads from its GitHub project. It used by a vast number of companies worldwide, enabling logging in a wide set of popular applications.
Exploiting this vulnerability is simple and allows threat actors to control java-based web servers and launch remote code execution attacks.
Impacted Products and Versions
Apache Log4j is utilised by IBM Planning Analytics, IBM Cognos Analytics and IBM SPSS Analytics.
Remediation/Fixes
If you have one of the impacted versions for either of these, it is strongly recommended by IBM to apply the most recent security update, which can be accessed below.
IBM Planning Analytics Workspace 2.0.5.7 and Above
Within IBM Planning Analytics 2.0, only the IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by security vulnerabilities. Apache Log4j is used by IBM Planning Analytics Workspace as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j CVE-2021-45046 and CVE-2021-45105 vulnerabilities. IBM Planning Analytics Workspace 2.0 has upgraded Apache Log4j to v2.17. Please note that this update also addresses CVE-2021-44228.
IBM Cognos Analytics
If you have one of the listed affected versions, it is strongly recommended that you apply the most recent security update:
IBM Cognos Analytics 11.2.x – Cognos Analytics 11.2.1 Interim Fix 1
IBM Cognos Analytics 11.1.x – Cognos Analytics 11.1.7 Interim Fix 6
IBM Cognos Analytics 11.0.x – Cognos Analytics 11.0.13 Interim Fix 3
The IBM Cognos Analytics team have developed a “no-upgrade” option for our “On-Prem” (local installation) customers, which can be found with the latest IBM Cognos Analytics Update.
IBM SPSS Analytics
Please refer to IBM’s update about which versions of SPSS are affected, as you may need to update SPSS before applying the fix.
Visit the IBM SPSS support page for detailed information about updates for your version of SPSS.
More information
Please do not hesitate to reach out to your Cornerstone representative on 1300 841 048 if you have any questions.