Apache Log4j Security Vulnerabilities

[david.ecker]

Hi,

is the jasperreportserver affected by the log4j vulnerabilty? 

https://logging.apache.org/log4j/2.x/security.html

Thanks,

David

[harold.aling]

I've also added an issue in the tracker: https://community.jaspersoft.com/jasperreports-server/issues/13926

[matthew.hinton]

Do you mean the one under CVE-2021-44228 ?  Another cummnity member opened a thread where it's discussed earlier at this link:  CVE-2021-44228 log4j Vulnerability | Jaspersoft Community

[andrew_50]

AFAICS the answer is YES.

Why? Because I can see log4j-core-2.13.3.jar in the jasperserver/WEB-INF/lib/ folder

[jpadre]

Hi David,

Please see https://community.jaspersoft.com/wiki/apache-log4j-vulnerability-update-jaspersoft-products.

Best regards,

Joe

[gustavofarias]

CVE-2021-45046

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.

Severity: Moderate

Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

Source: https://logging.apache.org/log4j/2.x/security.html

[noel_c_cadiz]

I am using JRS 6.4.0. According to this link https://community.jaspersoft.com/wiki/apache-log4j-vulnerability-update-jaspersoft-products, only the following JRS versions are affected. Does this mean, lower versions are not vulnerable to Log4J2? Please advise. thanks!

Product	Affected Version
JasperReports Server	7.5.x, 7.8.x, 7.9.x, 8.0.0