Product:
Planning Analytics 2.x

Microsoft Windows 2016 Server

Issue:
User have removed some sheet in a excel workbook and publish it again to TM1WEB.

But can now not open the application view in TM1WEB. User gets a error “Failed to open the target workbook. Make sure that the file has not been renamed or deleted”.

Solution:
Check the excel workbook for reference errors.
If there are formulas that referee to the deleted sheet, this can give this error.

Ensure that all formulas point to existing columns and sheets in the workbook.

Also ensure you do not have inserted unsupported object into the workbook, like word documents and links to pictures that may not work in TM1WEB.

Redo the workbook, and publish it again.

Also ensure you do not have empty columns on the right side in your spreadsheet, that can also affect TM1Web performance.

More Information:

https://www.ibm.com/docs/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_ug.2.0.0.doc/tm1_ug.pdf

https://www.ibm.com/support/pages/list-microsoft-excel-supported-functionality-menu-ibm-cognos-tm1-web-net

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=reference-worksheet-functions

https://www.ibm.com/support/pages/how-hide-zeros-tm1web-websheet

https://www.ibm.com/support/pages/apar/PH17596

Product:

Planning Analytics Workspace
Microsoft Windows 2016 server

Issue:
PAW does not respond and most users do not get reports shown.

On the TM1WEB server you find this in log file D:\Program\ibm\cognos\tm1_64\webapps\tm1web\WEB-INF\logs\message.log

….

Caused by: java.lang.OutOfMemoryError: Java heap space

at com.ibm.cognos.tm1.websheet.SheetCell.<init>(SheetCell.java:98)…..

Solution:

Go to Cognos Configuration for TM1

Go to Environment – IBM Cognos TM1 – Maximum memory for WebSphere liberty

And increase value to 8192.
Right click and restart IBM Cognos TM1 service.

Check in task manager that you still have free RAM memory on your server.

Check if the websheet and reports now work in TM1WEB or PAW.

More information:

https://www.ibm.com/support/pages/still-getting-javalangoutofmemoryerror-whatever-value-maximum-memory-mb

https://www.ibm.com/docs/fr/cognos-analytics/10.2.2?topic=profile-adjusting-memory-resources-cognos-service

Product:
Planning Analytics Workspace 53
Microsoft Windows 2016 server

Issue:
Blank report in paw or not loading.

 

Error message in error.log file under pa-gateway folder

A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond……. AH00898: Error reading from remote server returned by /tm1web/dwr/engine.js, referer: ….

Suggested Solution:

On your Windows 2016 server where PAW is installed.
Go to the config folder e.g. d:\ibm\paw\config and update the file paw.ps1 in notepad++

add last to file

env$:ProxyTimeoutSeconds='900'

Save the file.

Restart the Planning Analytics Workspace.

Open a Powershell window (with “Run as Administrator”) on the machine you have installed PAW
change into the installation directory of your PAW installation
move into the “scripts” folder: cd scripts
– to stop PAW execute the command: ./paw.ps1 stop
– to start PAW execute the command: ./paw.ps1 start

 

Some views of PAW is dependent on settings in TM1WEB, so you can also update the webapps\tm1web\WEB-INF\configuration\tm1web_config.xml file to get it to work.

add values like

<add key=”WorkbookMaxCellCount” value=”500000” />

More information:

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=local-what-timeout-settings-can-i-set

https://www.ibm.com/support/pages/action-has-been-terminated-because-it-exceeds-configured-maximum-memory-limit-error-received-while-opening-planning-analytics-workspace-book 

https://www.ibm.com/support/pages/how-stop-and-start-planning-analytics-workspace-command-line

For linux https://blog.octanesolutions.com.au/session-timeout-for-tm1web-paw-and-pax

Product:
Microsoft SQL 2016 server
Microsoft Windows 2016

Issue:

List when all the SQL agent jobs are run.

Solution:   (https://www.mssqltips.com/)

In SQL Management Studio enter this query:

-- list jobs and schedule info with daily and weekly schedules

-- jobs with a daily schedule
select
sysjobs.name job_name
,sysjobs.enabled job_enabled
,sysschedules.name schedule_name
,sysschedules.freq_recurrence_factor
,case
when freq_type = 4 then 'Daily'
end frequency
,
'every ' + cast (freq_interval as varchar(3)) + ' day(s)' Days
,
case
when freq_subday_type = 2 then ' every ' + cast(freq_subday_interval as varchar(7)) 
+ ' seconds' + ' starting at '
+ stuff(stuff(RIGHT(replicate('0', 6) + cast(active_start_time as varchar(6)), 6), 3, 0, ':'), 6, 0, ':')
when freq_subday_type = 4 then ' every ' + cast(freq_subday_interval as varchar(7)) 
+ ' minutes' + ' starting at '
+ stuff(stuff(RIGHT(replicate('0', 6) + cast(active_start_time as varchar(6)), 6), 3, 0, ':'), 6, 0, ':')
when freq_subday_type = 8 then ' every ' + cast(freq_subday_interval as varchar(7)) 
+ ' hours' + ' starting at '
+ stuff(stuff(RIGHT(replicate('0', 6) + cast(active_start_time as varchar(6)), 6), 3, 0, ':'), 6, 0, ':')
else ' starting at ' 
+stuff(stuff(RIGHT(replicate('0', 6) + cast(active_start_time as varchar(6)), 6), 3, 0, ':'), 6, 0, ':')
end time
from msdb.dbo.sysjobs
inner join msdb.dbo.sysjobschedules on sysjobs.job_id = sysjobschedules.job_id
inner join msdb.dbo.sysschedules on sysjobschedules.schedule_id = sysschedules.schedule_id
where freq_type = 4

union

-- jobs with a weekly schedule
select
sysjobs.name job_name
,sysjobs.enabled job_enabled
,sysschedules.name schedule_name
,sysschedules.freq_recurrence_factor
,case
when freq_type = 8 then 'Weekly'
end frequency
,
replace
(
CASE WHEN freq_interval&1 = 1 THEN 'Sunday, ' ELSE '' END
+CASE WHEN freq_interval&2 = 2 THEN 'Monday, ' ELSE '' END
+CASE WHEN freq_interval&4 = 4 THEN 'Tuesday, ' ELSE '' END
+CASE WHEN freq_interval&8 = 8 THEN 'Wednesday, ' ELSE '' END
+CASE WHEN freq_interval&16 = 16 THEN 'Thursday, ' ELSE '' END
+CASE WHEN freq_interval&32 = 32 THEN 'Friday, ' ELSE '' END
+CASE WHEN freq_interval&64 = 64 THEN 'Saturday, ' ELSE '' END
,', '
,''
) Days
,
case
when freq_subday_type = 2 then ' every ' + cast(freq_subday_interval as varchar(7)) 
+ ' seconds' + ' starting at '
+ stuff(stuff(RIGHT(replicate('0', 6) + cast(active_start_time as varchar(6)), 6), 3, 0, ':'), 6, 0, ':') 
when freq_subday_type = 4 then ' every ' + cast(freq_subday_interval as varchar(7)) 
+ ' minutes' + ' starting at '
+ stuff(stuff(RIGHT(replicate('0', 6) + cast(active_start_time as varchar(6)), 6), 3, 0, ':'), 6, 0, ':')
when freq_subday_type = 8 then ' every ' + cast(freq_subday_interval as varchar(7)) 
+ ' hours' + ' starting at '
+ stuff(stuff(RIGHT(replicate('0', 6) + cast(active_start_time as varchar(6)), 6), 3, 0, ':'), 6, 0, ':')
else ' starting at ' 
+ stuff(stuff(RIGHT(replicate('0', 6) + cast(active_start_time as varchar(6)), 6), 3, 0, ':'), 6, 0, ':')
end time
from msdb.dbo.sysjobs
inner join msdb.dbo.sysjobschedules on sysjobs.job_id = sysjobschedules.job_id
inner join msdb.dbo.sysschedules on sysjobschedules.schedule_id = sysschedules.schedule_id
where freq_type = 8
order by job_enabled desc

 

More Information:

https://www.mssqltips.com/sqlservertip/5019/sql-server-agent-job-schedule-reporting/

https://database.guide/4-ways-to-get-a-list-of-schedules-in-sql-server-agent-t-sql/

Product:
Microsoft SQL server 2016

Microsoft Windows 2019 server

Issue:
List size and location of SQL database files?

Solution:

In SQL management studio enter this query;

SELECT
    db.name AS DBName,
    type_desc AS FileType,
    Physical_Name AS Location,mf.size/128 as Size_in_MB
FROM
    sys.master_files mf
INNER JOIN 
    sys.databases db ON db.database_id = mf.database_id
ORDER BY  Size_in_MB DESC,DBName

More information:

How to determine free space and file size for SQL Server databases

SQL SERVER – Find Location of Data File Using T-SQL

Product:
Microsoft SQL server 2016
Microsoft Windows 2019

Issue:
How do i see what roles a user is member of?

Solution:

In SQL management studio, enter this query, to find roles the user is part of;

exec xp_logininfo 'DOMAIN\username', 'all'

In powershell you can enter this command to find content of groups

Get-ADGroupMember -Identity adgroupname | select name, objectclass

Or also expand to find users in groups

Get-ADGroupMember -Identity adgroupname -Recursive| select name, samaccountname

 

 

More information:

https://4sysops.com/wiki/how-to-install-the-powershell-active-directory-module/

https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroupmember?view=windowsserver2022-ps

https://ss64.com/ps/get-adgroupmember.html

https://www.sqlserver-dba.com/2016/01/how-to-query-active-directory-with-xp_logininfo.html

https://www.mssqltips.com/sqlservertip/1252/auditing-windows-groups-from-sql-server/

Product:
Cognos Analytics 11.1.7

Microsoft Windows 2016

Issue:

How remove the JNDI call from the log4j-core file?

Suggested solution:

(Test this first in your LAB environment)

Ensure where you have 7zip installed.  https://www.7-zip.org/

Find out what file to clean.  (Take a backup of the files to clean).

For cognos controller, we guess it is this file:

C:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.reports\apps\fcm.reports-rest.war\WEB-INF\lib\log4j-core-2.5.jar

For cognos analytics, it is several files, maybe this:

C:\Program Files\ibm\cognos\analytics\bin\log4j-core-2.7.jar
C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\dataset-service\workarea\org.eclipse.osgi\88\0\.cp\log4j-core-2.7.jar

Create a new folder e.g. c:\fix

Create a text file, where you list the files to clean on this server e.g. c:\fix\filetofix.txt

Create a new powershell file,  jarupdate.ps1, with this content:

# set location of 7z program
$7zip = "C:\Program Files\7-Zip\7z.exe"
# run the script on the source machine
# get files from list to clean
$file2fix= Get-Content -Path "c:\fix\filetofix.txt" 
foreach ($thefile in $file2fix) 
{ 
Write-Host "Currently the script is cleaning " $thefile 
& $7zip d "$($thefile)" "org/apache/logging/log4j/core/lookup/JndiLookup.class"

}

Get approval to do the update on the Cognos server.

Stop all IBM Cognos services.


Check that no JAVA process is still around.
Start POWERSHELL as administrator

Go to you c:\fix folder

Enter command: .\jarupdate.ps1

The output will be similar to this;

Reboot the server.
Test that Cognos still works.

Repeat on all effected servers.

If you have checked the size of the jar file before clean, you should see a difference after clean.

More Information:

https://www.ibm.com/support/pages/node/6526474

https://www.ibm.com/support/pages/node/6526468

911 – Log4j Security Risk Affects IBM Planning Analytics, Cognos…

https://ss64.com/ps/get-content.html

https://7ziphelp.com/7zip-command-line

Product:
Cognos Controller 10.4.2

Microsoft Windows 2019 server

Issue:

How upgrade Cognos Controller to 10.4.2 IF15?

https://www.ibm.com/support/pages/node/6528580    (new version 10.4.2 IF16)

https://www.ibm.com/support/pages/node/6526468

Suggested solution:

Download the file up_cntrl_winx64h_10.4.2000.1098_ml.tar.gz

IBM Cognos Controller 10.4.2 Interim Fix 15, requires that IBM Cognos Controller 10.4.2 is installed.
If you not have 10.4.2, you need to install that first. https://www.ibm.com/support/pages/how-installupgrade-controller-serverclient

Follow IBM instructions https://www.ibm.com/support/pages/node/6526240 or

  1. Change to the directory where you have downloaded the interim fix.
  2. Decompress the .tar.gz file. If you are using WinZip®, select the option “use folder names”.
  3. Stop Internet Information Services (IIS) Manager (the Default Web Site).
  4. Shut down the IBM Cognos Controller Consolidation COM+ application through Component Services.
  5. Stop the following services through the Services Manager.
  6. Check that you have a back up of the cognos content store and controller database.
  7. If your IBM Cognos Controller environment is customized, back up the entire IBM Cognos Controller location.
  8. Go to the location where you downloaded and extracted the files.
  9. Go to the win64h directory and double-click the issetup.exe file.
  10. Open IBM Cognos Configuration, save the configuration, and then start the IBM Cognos service.
  11. Open Controller Configuration, and check that the values are there, special for Server Authentication and Client Distribution Server Configuration.
  12. If you have a distributed environment, repeat these steps for all remaining IBM Cognos Controller servers.
  13. Start the Internet Information Services (IIS) Manager (the Default Web Site).
  14. Reboot your windows server.

When you check in Cognos Controller client under help – system information – you see the version number there. Cognos Controller Version depend on the client you have installed.

In the transfer log you can find lines like this:

Condition “File “d:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.reports\apps\fcm.reports-rest.war\WEB-INF\lib\log4j-api-2.5.jar” exists” evaluated to true.

Successfully deleted file “d:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.reports\apps\fcm.reports-rest.war\WEB-INF\lib\log4j-api-2.5.jar”.

Condition “File “d:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.reports\apps\fcm.reports-rest.war\WEB-INF\lib\log4j-core-2.5.jar” exists” evaluated to true.

Successfully deleted file “d:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.reports\apps\fcm.reports-rest.war\WEB-INF\lib\log4j-core-2.5.jar”.

The update replace the jar file to later version.

If you upgrade from a version older than 10.4.2, you need to reinstall your cognos controller client to a new version on all users laptops.

https://www.ibm.com/support/pages/how-install-controller-local-client

This version also contain other corrections, here is Controller fix list;

https://www.ibm.com/support/pages/ibm-cognos-controller-104x-fix-list

More information:

If you have CA11 installed, that also need to be upgraded.

https://www.ibm.com/support/pages/node/6526474

Workarounds and Mitigations

IBM is developing a “non-upgrade” option for “On Prem” Cognos Analytics customers that will patch the system and allow customers to remain on their current applicable version.  Cognos Controller customer have to upgrade to latest version, or patch the faulty jar files themselves. But IBM is developing a “no-upgrade” option for “On Prem” customers that will patch the system and allow customers to remain on their current applicable version. Check IBM page https://www.ibm.com/support/pages/node/6528580

Product:
Cognos Analytics
Microsoft Windows 2016 server

Issue:

How do i check my computer for this issue?

Suggested solution:

Paste below code in a text file, name the file to check.ps1

gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path

Place the file in c:\temp and start a powershell session:

.\check.ps1 > result.txt

Run the file with pipe the result to a text file, so you later easy can check what files can be an issue.

The command will check in jar files if they have the string JndiLookup.class

It will list the jar files that can have the issue, one example is C:\Program Files\ibm\cognos\analytics\bin\ThirdPartyCertificateTool.jar.  Think that this program is not running all the time, it is only used when you use the tool from the command line.  Then this jar file have a very little risk. It is worse for web-servers and web applications that run all the time.

You can unzip a jar file, to check its content.

If you remove the file JndiLookup.class and zip it back to a JAR file, you have cleaned the program.

 

More information:

https://www.ibm.com/support/pages/node/6526474

https://pmsquare.com/analytics-blog/2021/12/13/ibm-ca-pa-and-the-apache-log4j-cve-2021-44228-vulnerability

https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

https://www.ibm.com/support/pages/node/6525700?myns=swgother&mynp=OCSSCTEW&mync=E&cm_sp=swgother-_-OCSSCTEW-_-E

Within IBM Planning Analytics 2.0, only the IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Planning Analytics Workspace as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-44228) vulnerability.

Log4j 1.2.17 and 1.x does not contain any of the same lookup / template evaluation code, and the only class related to JNDI (JMSAppender) does not appear to connect to user-controlled remote systems based on log events.  Older version of Cognos Controller that uses log4j-1.2.7.jar, does not have the same issue.

Log4j: It’s worse than you think

Product:
Cognos Analytics 11.1.7
Microsoft Windows 2019 server
Issue:

Should i do something for Cognos products because of the Log4j vulnerability?

There is now a “patch”….. read more here https://www.ibm.com/support/pages/node/6526474

Security Bulletin: IBM Cognos Analytics: Apache log4j Vulnerability (CVE-2021-44228)

https://www.ibm.com/support/pages/node/6538720

Background:
https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html

By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. The attacker must get the Cognos Logger software to process a string to the log file, that active the function JNDI to contact LDAP server xxxx and download information, that in real can be java code, and execute it. Gives the possibility to install Trojans and other software, but he need to trick cognos to send the information to the logger.

How Log4j Vulnerability Could Impact You

Suggested Solution:
First check what IBM say, if needed for cognos, they will release patch or instructions on there page.

https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

Things you can do:
Ensure that the Cognos servers do not have contact with Internet, so any application on the server can reach out and download other software.
Creating a default-deny firewall rule will prevent servers from creating unapproved connections and can help reduce your risk of a compromise.

Ensure that only the people and computers that need it, have access to your cognos servers.

You can use tools, to see if you have the vulnerability;

https://log4shell.huntress.com/

https://github.com/xforcered/scan4log4shell

https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html

Log4j is a tool to create log files, used by WebSphere and maybe Cognos software.
Check version of WebSphere with this command:

Above is from CA11.1.x  CM_version=11.1.7-41.
In a CMD prompt, go to the java bin folder (path depends on version of Cognos Analytics)
Enter command C:\Program Files\ibm\cognos\analytics\wlp\bin\productinfo  version
CA11 uses WebSphere Liberty Server, where the version number is the year it was released.
WebSphere Application Server (WAS) latest version is 9, that should correspond to WLP 20.

https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server

Above is from CA11.0.x  CM_version=11.0.12.18

You can search your cognos folder, to see if you have Log4j files that can contain this issue.

You will find it in several folders, but it is only the top one \bin that is the default. The others are cached versions in folders like C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\cognosserver\workarea\org.eclipse.osgi\61\data\cache\com.ibm.ws.app.manager_157\.cache\WEB-INF\lib

Log4j-core and Log4j-api can contain this issue. Above picture from CA11, we see that we use version 2.7 of Log4j program. That is old, so the LOG4J_FORMAT_MSG_NO_LOOKUPS  parameter will not work.

Versions of Log4j is listed here:
https://logging.apache.org/log4j/2.x/changes-report.html

If you can not wait for IBM instructions for Cognos, https://www.ibm.com/support/pages/node/6526474,  you can test this in your LAB.

“the mitigation is to remove the JndiLookup class from the classpath, with command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. ”

Stop the IBM Cognos service.


Copy the log4j-core-2.7.jar file to a new folder e.g. c:\tempfix

Unzip the jar file.

Go down in the unzipped folder structure to C:\tempfix\log4j-core-2.7\org\apache\logging\log4j\core\lookup folder

Remove the file JndiLookup.class

Go back to your top folder, and zip it again.

Rename your log4j-core-2.7.jar to log4j-core-2.7.org.jar ( to keep a backup ).

Rename your log4j-core-2.7.zip file to log4j-core-2.7.jar.

Copy the new log4j-core-2.7.jar file to your C:\Program Files\ibm\cognos\analytics\bin folder.

Start IBM Cognos.

Check that you can login and run reports.
The Log4j is used to create the cognosserver.log files, so carefully check that the log files work as expected.

https://docs.oracle.com/javase/tutorial/deployment/jar/build.html

https://convertio.co/zip-jar/

https://www.freefileconvert.com/zip-jar

If your test work out well, you can update the C:\Program Files\ibm\cognos\analytics\bin\log4j-core-2.7.jar file on your other CA11 servers.

PAW have a fix at:

Security bulletin: Security Bulletin: IBM Planning Analytics Workspace: Apache log4j Vulnerability (CVE-2021-44228)

https://www.ibm.com/support/pages/node/6525316

https://www.ibm.com/support/pages/node/6192099

For the latest Cognos Controller version there is a new version out…  but it may come more information from IBM.

Security bulletin: Security Bulletin: IBM Cognos Controller 10.4.2 IF16: Apache log4j Vulnerability (CVE-2021-44228)

TM1 may also not use the affected version. You have to check with IBM Support, what they say.

IBM SPSS have a fix at https://www.ibm.com/support/pages/node/6526182

IBM ILMT have a different version of Log4j, and therefor a different workaround:

Most product will have a “patch” to upgrade to later Log4j versions.

https://www.ibm.com/support/pages/node/6525762

Workaround 1. Manually upgrade Log4j library included in VM Manager Tool in versions 9.2.21.0 – 9.2.25.0 to version 2.15.0

  1. Download the Log4j library package in version 2.15.0 from this page: https://logging.apache.org/log4j/2.x/download.html and extract them.
  2. Copy the following files to the <VM_Manager_Tool_home_dir>/lib/ directory.
    • log4j-api-2.15.0.jar
    • log4j-core-2.15.0.jar
  3. Stop the VM Manager Tool by using the -stop switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.
  4. Remove the following JAR files from the <VM_Manager_Tool_home_dir>/lib/ directory.
    • log4j-api-2.13.3.jar
    • log4j-core-2.13.3.jar
  5. Depending on your operating system, modify one of the following files.
    • LINUX: In the <VM_Manager_Tool_home_dir>/vmman.sh file, find the following lines:
      VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-api-2.13.3.jar
      VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-core-2.13.3.jarChange them to:
      VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-api-2.15.0.jar
      VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-core-2.15.0.jar
    • WINDOWS: In the <VM_Manager_Tool_home_dir>/vmman.bat file, find the following lines:
      SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-api-2.13.3.jar
      SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-core-2.13.3.jarChange them to:
      SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-api-2.15.0.jar
      SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-core-2.15.0.jar
  6. Start the VM Manager Tool by using -run switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.

Workaround 2. Mitigate the issue on the current version of the Log4j library included in VM Manager Tool in versions 9.2.21.0 – 9.2.25.0 by the configuration change

  1. Depending on your operating system, run one of the following:
    • LINUX: In the <VM_Manager_Tool_home_dir>/vmman.sh file, find the following line. It might not contain all the parameters starting with -D string, for example, it might not contain the -Dsun.net.http.allowRestrictedHeaders=true substring.VMM_PROPERTIES_DEFS=”-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 -Dcom.ibm.jsse2.disableSSLv3=false -Dcom.ibm.tools.attach.enable=no -Dsun.net.http.allowRestrictedHeaders=true”Add the following text at the end of the found line, just before the double quotation mark that ends this line.“ -Dlog4j2.formatMsgNoLookups=true” (including the space character at the beginning of the text)For example:
      VMM_PROPERTIES_DEFS=”-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 -Dcom.ibm.jsse2.disableSSLv3=false -Dcom.ibm.tools.attach.enable=no -Dsun.net.http.allowRestrictedHeaders=true -Dlog4j2.formatMsgNoLookups=true
    • WINDOWS: In the <VM_Manager_Tool_home_dir>/vmman.bat file, add the following entry as the last line of the ####### PROPERTIES DEFINITONS ####### section:SET VMM_PROPERTIES_DEFS=%VMM_PROPERTIES_DEFS% -Dlog4j2.formatMsgNoLookups=true
  2. Stop the VM Manager Tool by using the -stop switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.
  3. Start the VM Manager Tool by using the -run switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.

 

Fixes:

https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

https://www.ibm.com/support/pages/node/6525762

https://www.ibm.com/support/pages/security-bulletin-vulnerability-apache-log4j-affects-websphere-application-server-cve-2021-44228

https://www.ibm.com/support/pages/node/6526182

https://www.ibm.com/support/pages/node/6525706

More Information:

https://pmsquare.com/analytics-blog/2021/12/13/ibm-ca-pa-and-the-apache-log4j-cve-2021-44228-vulnerability

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

https://www.ibm.com/support/pages/17004-websphere-application-server-liberty-17004

https://www.ibm.com/support/pages/20002-websphere-application-server-liberty-20002

https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server#WebSphere_Liberty_Versions

https://securityintelligence.com/posts/apache-log4j-zero-day-vulnerability-update/

https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://www.skylit.com/javamethods/faqs/createjar.html
https://success.trendmicro.com/solution/000289940

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

https://bishopfox.com/blog/log4j-zero-day-cve-2021-44228

Reference material can be found at the Apache.orgLog4j Security Vulnerability page.
IBM X-Force also has provided an analysis of the Log4j vulnerability, which can be found on the IBM Security Intelligence blog.

You have to decide how you will handle this possible threat in your organization.
This is only a list of information, on the subject.
You should check your logs from your antivirus / firewall software, if you are already compromise.

https://community.ibm.com/community/user/businessanalytics/communities/community-home/digestviewer/viewthread?MessageKey=ca2a4b8f-5ef7-44a7-85a3-25b4e26a0f7b&CommunityKey=8fde0600-e22b-4178-acf5-bf4eda43146b&tab=digestviewer

The IBM Cognos Analytics team have developed a “no-upgrade” option for our “On Prem” (local installation) customers.

To get the patch, click this link: CA-11.x-Log4jSafeAgent

For detailed instructions, see Mitigate the Apache Log4j vulnerability (CVE-2021-44228) in Cognos Analytics 

Affected Version Fix Version Bundled Customers
IBM Cognos Analytics 11.2.x Cognos Analytics 11.2.1 Interim Fix 1

 

IBM Cognos Analytics 11.2.1 Interim Fix 2 (Bundled)
IBM Cognos Analytics 11.1.x

 

Cognos Analytics 11.1.7 Interim Fix 6

 

IBM Cognos Analytics 11.1.7 Interim Fix 7 (Bundled)
IBM Cognos Analytics 11.0.6 to 11.0.13 FP4

 

Cognos Analytics 11.0.13 Interim Fix 3

 

IBM Cognos Analytics 11.0.13 Interim Fix 4 (Bundled)

New version from 13 Jan 2022:

Affected Version Fix Version Bundled Customers
IBM Cognos Analytics 11.2.x IBM Cognos Analytics 11.2.1 Interim Fix 3

 

IBM Cognos Analytics 11.2.1 Interim Fix 3 (Bundled)
IBM Cognos Analytics 11.1.x

 

IBM Cognos Analytics 11.1.7 Interim Fix 8 IBM Cognos Analytics 11.1.7 Interim Fix 8 (Bundled)
IBM Cognos Analytics 11.0.6 to 11.0.13 FP4

 

IBM Cognos Analytics 11.0.13 Interim Fix 5

 

IBM Cognos Analytics 11.0.13 Interim Fix 5 (Bundled)