mohanreddy4 Posted December 13, 2021 Share Posted December 13, 2021 Yes, it seems but there is no clear procedure to upgrade the log4j version. Link to comment Share on other sites More sharing options...
henrique.cezar Posted December 13, 2021 Share Posted December 13, 2021 I was reading about it and we can mitigate as described at https://logging.apache.org/log4j/2.x/security.htmlI suggest exporting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS setting to true at /etc/profile where it will be applied to all your users. Link to comment Share on other sites More sharing options...
mrwizard Posted December 13, 2021 Share Posted December 13, 2021 JRS 7.9.0 Build 20210909_1344Uses log4j 2.13.3 (see jar in WEB-INF/lib/log4j-core-2.13.3.jar)Confirmed vulnerable signature with https://github.com/CodeShield-Security/Log4JShell-Bytecode-DetectorRecommended steps:1) Define -Dlog4j2.formatMsgNoLookups=true in your JVMOR2) Replace the log4j 2.13.3 jars with 2.15 which is patchedI do not work for JasperSoft - YMMV Link to comment Share on other sites More sharing options...
enrico.tafuro_1 Posted December 13, 2021 Share Posted December 13, 2021 Hi there, I'm trying to do some tests on my environment, with a Jasper Report Server 7.5 already installed (Tomcat+Postgres+log4j 2.12.1), trying to upgrade log4j libraries.The vulnerability seems to be placed in "log4j-core-2.12.1.jar", specifically in JndiLookup.class contained in the jar.In my case I'm currently testing a simple replacement of jar files with the 2.15.0 fixed version (which has been declared be safe as of now - Dec 13th).These are my changes:log4j-core-2.12.1.jar -> log4j-core-2.15.0.jarlog4j-api-2.12.1.jar -> log4j-api-2.15.0.jarlog4j-1.2-api-2.12.1.jar -> log4j-1.2-api-2.15.0.jarlog4j-slf4j-impl-2.12.1.jar -> log4j-slf4j-impl-2.15.0.jarlog4j-jcl-2.12.1.jar -> log4j-jcl-2.15.0.jarlog4j-jul-2.12.1.jar -> log4j-jul-2.15.0.jarlog4j-web-2.12.1.jar -> log4j-web-2.15.0.jarThe change requires a Tomcat service stop and start to load the new library version.In any case this is a self-made/not certified solution and - I'm pretty sure that a redeploy from Tomcat can override the changes.Use all this stuff at your own risk - I do not work for JasperSoft Link to comment Share on other sites More sharing options...
vicenzo Posted December 13, 2021 Share Posted December 13, 2021 I have worked on a solution on a few servers runnings jasper server on version 7.5.0.Basically i added -Dlog4j2.formatMsgNoLookups=true to setEnv file on the apache-tomcat folder. Furthermore, i set the env LOG4J_FORMAT_MSG_NO_LOOKUPS as the first awnser says.Good luck. Link to comment Share on other sites More sharing options...
darth_fader Posted December 14, 2021 Share Posted December 14, 2021 I've posted another question just to call this out directly (again) - 4 days of TIBCO working on resolutions, without so much as a mention of Jasper - not for community or enterprise. Link to comment Share on other sites More sharing options...
gustavofarias Posted December 15, 2021 Share Posted December 15, 2021 Now, there is CVE-2021-45046 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046) Link to comment Share on other sites More sharing options...
djohnson53 Posted December 15, 2021 Share Posted December 15, 2021 darth_faderYou didn't look far enough down the page (https://www.tibco.com/services/support/public-notices > https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update) Link to comment Share on other sites More sharing options...
djohnson53 Posted December 15, 2021 Share Posted December 15, 2021 (https://www.tibco.com/services/support/public-notices > https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update)Hot Fixes available 3/4 down the page. Link to comment Share on other sites More sharing options...
djohnson53 Posted December 15, 2021 Share Posted December 15, 2021 And on the support portal:Which eventually takes you to https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update Link to comment Share on other sites More sharing options...
djohnson53 Posted December 15, 2021 Share Posted December 15, 2021 Also: https://community.jaspersoft.com/wiki/apache-log4j-vulnerability-update-jaspersoft-products Link to comment Share on other sites More sharing options...
djohnson53 Posted December 15, 2021 Share Posted December 15, 2021 Another important link: https://support.tibco.com/s/article/TIBCO-Jaspersoft-Mitigation-for-CVE-2021-44228-Log4Shell Link to comment Share on other sites More sharing options...
dupont.sebastien Posted January 11, 2022 Share Posted January 11, 2022 @djohnson53 in the last page you linked to, the Jasper Server link points to an empty page.Do you know what is the plan for updating the vulnerable installers provided on community.jaspersoft.com and on Sourceforge?We are using the Docker image and Helm chart of Bitnami and there will be no fix to that until patched installers are available. Link to comment Share on other sites More sharing options...
djohnson53 Posted January 13, 2022 Share Posted January 13, 2022 all the links work Link to comment Share on other sites More sharing options...
djohnson53 Posted January 13, 2022 Share Posted January 13, 2022 They won't update previous versions of the installers on the community editions on source forge. The fixes will be included in the next release. v8.0 is out now. It will have all the security fixes. New issues will be addressed in future releases of the community editions.The previous versions available there are for migration purposes only. If you have paid support, you may have other options thru them. Link to comment Share on other sites More sharing options...
dupont.sebastien Posted January 18, 2022 Share Posted January 18, 2022 Thank you for the answerThe linked pages were not properly shown because of my adblocker blocking coveo.com Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now