Jump to content

CVE-2021-44228 log4j Vulnerability


ashin

Recommended Posts

  • Replies 15
  • Created
  • Last Reply

Top Posters In This Topic

JRS 7.9.0 Build 20210909_1344

Uses log4j 2.13.3 (see jar in WEB-INF/lib/log4j-core-2.13.3.jar)
Confirmed vulnerable signature with https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector

Recommended steps:
1) Define -Dlog4j2.formatMsgNoLookups=true in your JVM

OR

2) Replace the log4j 2.13.3 jars with 2.15 which is patched

I do not work for JasperSoft - YMMV

Link to comment
Share on other sites

Hi there,
  I'm trying to do some tests on my environment, with a Jasper Report Server 7.5 already installed (Tomcat+Postgres+log4j 2.12.1), trying to upgrade log4j libraries.
The vulnerability seems to be placed in "log4j-core-2.12.1.jar", specifically in JndiLookup.class contained in the jar.
In my case I'm currently testing a simple replacement of jar files with the 2.15.0 fixed version (which has been declared be safe as of now - Dec 13th).

These are my changes:

log4j-core-2.12.1.jar ->       log4j-core-2.15.0.jar
log4j-api-2.12.1.jar ->        log4j-api-2.15.0.jar
log4j-1.2-api-2.12.1.jar ->    log4j-1.2-api-2.15.0.jar
log4j-slf4j-impl-2.12.1.jar -> log4j-slf4j-impl-2.15.0.jar
log4j-jcl-2.12.1.jar ->        log4j-jcl-2.15.0.jar
log4j-jul-2.12.1.jar ->        log4j-jul-2.15.0.jar
log4j-web-2.12.1.jar ->        log4j-web-2.15.0.jar

The change requires a Tomcat service stop and start to load the new library version.
In any case this is a self-made/not certified solution and - I'm pretty sure that a redeploy from Tomcat can override the changes.
Use all this stuff at your own risk - I do not work for JasperSoft

Link to comment
Share on other sites

 I have worked on a solution on a few servers runnings jasper server on version 7.5.0.

Basically i added  -Dlog4j2.formatMsgNoLookups=true to setEnv file on the apache-tomcat folder.

 

Furthermore, i set the env LOG4J_FORMAT_MSG_NO_LOOKUPS as the first awnser says.

Good luck.

Link to comment
Share on other sites

  • 4 weeks later...

@djohnson53 in the last page you linked to, the Jasper Server link points to an empty page.

Do you know what is the plan for updating the vulnerable installers provided on community.jaspersoft.com and on Sourceforge?

We are using the Docker image and Helm chart of Bitnami and there will be no fix to that until patched installers are available.

Link to comment
Share on other sites

They won't update previous versions of the installers on the community editions on source forge.  The fixes will be included in the next release.  v8.0 is out now. It will have all the security fixes. New issues will be addressed in future releases of the community editions.

The previous versions available there are for migration purposes only.  If you have paid support, you may have other options thru them.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...