Loading
search-img
Title
Flexera Analytics (Cognos) mitigation for Apache Log4j 2 vulnerability CVE-2021-44228

A critical vulnerability in Apache Log4j 2 impacting versions 2.0-beta9 through 2.12.1 and versions 2.13.0 through 2.14.1 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-44228.

Cognos has been identified as potentially being affected by CVE-2021-44228. IBM’s Cognos is included in Flexera Analytics and is used as a reporting engine for FlexNet Manager Suite and FlexNet Manager for Engineering Applications. This article describes possible mitigation steps that can be applied to Cognos, as used in Flexera Analytics, until a formal hotfix is issued.

Affected users should do one of the following:

  • Follow the IBM remediation options.

         or

  • Remove Flexera Analytics (Cognos) from the computer where it is installed.

IBM remediation options

IBM has published general guidance and remediation options at the following location: An update on the Apache Log4j 2.x vulnerabilities.

A summary of IBM’s recommendations to its clients:

ibm recommends.png

Removal of JndiLookup Class

To remove the JndiLookup class on an installation of Flexera Analytics (Cognos):

1. Make a backup copy of log4j-core-2.7.jar found here (where "<number>" is a number that depends on the Cognos version installed):  C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\dataset-service\workarea\org.eclipse.osgi\<number>\0\.cp

2. Copy the same log4j-core-2.7.jar file to a directory you have write access to.

3. Open the copy of log4j-core-2.7.jar in a program like 7Zip.

log4j.png

4. Delete the file JndiLookup.class.
jndi.lookup.class.png
5. Save the updated .jar file archive.

6. Copy the updated log4j-core-2.7.jar file back to the original location: C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\dataset-service\workarea\org.eclipse.osgi\<version>\0\.cp

7. Also replace the file in this location: C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\cognosserver\workarea\org.eclipse.osgi\<version>\0\.cp

Remove Cognos

To uninstall Cognos, uninstall the IBM Cognos Analytics application through the Windows Add Remove Programs applet:

add remove ibm cognos.png

note blue light.pngNote: This will result in all Flexera Analytics functions being unavailable to users.

 

Changelog

2021-12-15 9:00am CST: Initial article.

2021-12-15 7:20pm CST: Update details to allow for directory names which may vary based on the version of Cognos.

Was this helpful?
Support Hub
Create a case with Support
0/255
Upload Attachment
File Upload
Maximum file size allowed is 3 MB.
File type not supported.
Supported file types:
Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files (.csv) Speadsheets (.xlsx, .xls)

Are you sure you want to cancel the case creation?

Are you sure you want to close this case

Get Hotline support
Products Region Phone Numbers
FlexNet Operations
FlexNet Embedded
FlexNet Publisher
FlexNet Connect
FlexNet Code Insight
InstallAnywhere
InstallShield 		North America  * +1 630-332-2513 (toll)
+1 877-279-2853 (toll-free in North America)
Europe  * +44 1925 944367 (toll)
+44 800 047 8642 (toll-free in Europe)
Japan  * +81 3-4540-5335 (select option 2)
Australia  * +61 3 9895 2177
+61 1800 560 603 (toll-free in Australia)
Usage Intelligence (formerly Revulytics)
Compliance Intelligence 		Please use the Case Portal to submit your support ticket or reach out to your Revenera contact.
Book an Appointment
File Upload
Maximum file size allowed is 3 MB.
File type not supported.
Supported file types:
Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files (.csv) Speadsheets (.xlsx, .xls)
+1.800.374.4353
CONTACT US REVENERA.COM FLEXERA.com
© 2026 Flexera Software. All Rights Reserved.
Privacy policy Terms and conditions Flexera Community Contact Us
Loading
Flexera Analytics (Cognos) mitigation for Apache Log4j 2 vulnerability CVE-2021-44228