Updated: February 7, 2022

Aderant has now made available a Patch for the recently reported LOG4J vulnerabilities.  Specifically, this patch updates IBM Cognos to 11.1.7 Interim Fix 8 and is provided for clients running Spotlight versions 4.1 through 4.1.0.2.  The patch and corresponding instructions can be found on Salesforce under the “Aderant-Spotlight” available downloads and is labeled “(For Spotlight 4.1 and Above) IBM Cognos Analytics Server 11.1.7.8 (2/2/2022)”.  All files and required instructions are within this file.  For more information on the IBM patch itself, please see the following note on the IBM Website here.

Updated: December 16, 2021

Aderant is closely following the global cybersecurity incident CVE-2021-44228, called Log4Shell. This incident exploits vulnerabilities in the widely used Java open-source logging library Apache Log4j.

Products Not Impacted by CVE-2021-44228:

Other than the applications listed below, Aderant does not believe that our products are affected by this vulnerability. None of Aderant’s other applications are written in Java, and therefore do not use the Log4j library.

Products Impacted by CVE-2021-44228:

• The Aderant Spotlight business intelligence product incorporates code from the IBM Cognos Analytics product, which uses Log4j.
• • Spotlight Versions 4.1 – 4.1.0.2 utilize IBM Cognos Analytics 11.1+, which includes a version of the Log4J library (v2.7) that is vulnerable to CVE-2021-44228.

• • • On December 15, 2021, IBM released an update to Cognos Analytics that addresses this vulnerability. Aderant is currently testing Spotlight with this updated version of Cognos Analytics. We will post further updates when this testing is complete. You can find information on this update from IBM linked here.
    • In the notification linked above, IBM also notes the following:

Workarounds and Mitigations:  IBM is developing a “non-upgrade” option for “On-Prem” customers that will patch the system and allow customers to remain on their current applicable version. This option will be announced and available shortly.

• • • In the interim, Aderant has tested the following mitigation steps recommended by the Apache.org Log4J project. Our testing did not reveal any negative impacts.
      • Remove the JndiLookup class from the Log4j-core-2.7.jar file located in the locations listed below.
      • The command line below can be used to remove the JndiLookup class. Alternately, you can contact Aderant Support to request a copy of the modified Log4j-core-2.7.jar file.
        • zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
      • Log4j-core-2.7.jar file locations:
        • <IBM_Installation_Directory>\cognos\analytics\bin
        • <IBM_Installation_Directory>\cognos\analytics\wlp\usr\servers\cognosserver\workarea\org.eclipse.osgi\102\0\.cp
        • <IBM_Installation_Directory>\cognos\analytics\wlp\usr\servers\dataset-service\workarea\org.eclipse.osgi\91\0\.cp

• • Spotlight Versions 3.0 through 4.0.2.3: These versions of Spotlight utilize IBM Cognos Analytics 10.2.2, which uses an older version of the Log4J library (v1.2.17) that is not vulnerable to CVE-2021-44228.

• SecureLink is a third-party product provided by Aderant to facilitate secure remote access to client systems. We have received the following information from SecureLink:
  • At this time, there is no indication that any SecureLink product is affected by this vulnerability.
  • On Friday, December 10, the team validated that the Log4j Core library (log4j-core) is not present in any Java classpaths currently deployed by our products. The team has advised that other Log4j dependencies do exist and that these dependencies may create false positive alerts from vulnerability management and/or scanner software.
  • SecureLink does not use log4j for logging; however, we do have log4j related libraries (like log4j-api), which are simply bridge libraries to make software trying to log to log4j actually log to our logger of choice, Logback.

Aderant will continue to monitor this situation and will communicate further updates via the following page on our website: https://www.aderant.com/log4shell/