Log4Shell is a critical vulnerability recently discovered in the Apache log4j software that is used by a huge number of enterprise applications for logging, including IBM Cognos Analytics and Planning Analytics. The vulnerability allows a malicious actor to run code on a vulnerable server by crafting a message and sending it to the server, in the expectation that some of the message will be logged. Essentially the message tells the logging software to download some code and run it.

The malicious actor must be able to contact the affected service, so could exploit any publicly available service, or must have a presence on any private network that a service is available on to exploit.

IBM’s Product Security Incident Response Team is actively working the reported remote code execution vulnerability. It is recognized and being worked as a critical severity issue.

IBM Planning Analytics

Security Bulletin: IBM Planning Analytics 2.0: Apache log4j Vulnerability (CVE-2021-44228)

• This vulnerability has already been addressed for IBM Planning Analytics on Cloud and no further action is required.
• IBM have confirmed the only affected service in Planning Analytics is the Planning Analytics Workspace (PAW) web server from version 2.0.57, and have released version 71 to remediate the issue. The recommendation is to upgrade if you are on an affected version on-prem.

IBM Cognos Analytics

Security Bulletin: IBM Cognos Analytics: Apache log4j Vulnerability (CVE-2021-44228)

• Remediation for the IBM Cognos Analytics Cloud and Cloud Hosted instances has completed.
• Interim Fixes are available for on-prem versions 11.2.x, 11.1.x and 11.0.6 to 11.0.13
• The IBM Cognos Analytics team have also developed a “no-upgrade” option for our “On Prem” (local installation) customers. This patch is available as a .jar file and is included along with detailed instructions on how to execute. See: CA-11.x-Log4jSafeAgent
• IBM have confirmed that Cognos BI v10.2.x is not vulnerable