david.ecker Posted December 13, 2021 Share Posted December 13, 2021 Hi,is the jasperreportserver affected by the log4j vulnerabilty? https://logging.apache.org/log4j/2.x/security.htmlThanks,David Link to comment Share on other sites More sharing options...
harold.aling Posted December 13, 2021 Share Posted December 13, 2021 I've also added an issue in the tracker: https://community.jaspersoft.com/jasperreports-server/issues/13926 Link to comment Share on other sites More sharing options...
matthew.hinton Posted December 13, 2021 Share Posted December 13, 2021 Do you mean the one under CVE-2021-44228 ? Another cummnity member opened a thread where it's discussed earlier at this link: CVE-2021-44228 log4j Vulnerability | Jaspersoft Community Link to comment Share on other sites More sharing options...
andrew_50 Posted December 14, 2021 Share Posted December 14, 2021 AFAICS the answer is YES.Why? Because I can see log4j-core-2.13.3.jar in the jasperserver/WEB-INF/lib/ folder Link to comment Share on other sites More sharing options...
jpadre Posted December 14, 2021 Share Posted December 14, 2021 Hi David,Please see https://community.jaspersoft.com/wiki/apache-log4j-vulnerability-update-jaspersoft-products.Best regards,Joe Link to comment Share on other sites More sharing options...
gustavofarias Posted December 15, 2021 Share Posted December 15, 2021 CVE-2021-45046CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.Severity: ModerateVersions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.Source: https://logging.apache.org/log4j/2.x/security.html Link to comment Share on other sites More sharing options...
noel_c_cadiz Posted December 20, 2021 Share Posted December 20, 2021 I am using JRS 6.4.0. According to this link https://community.jaspersoft.com/wiki/apache-log4j-vulnerability-update-jaspersoft-products, only the following JRS versions are affected. Does this mean, lower versions are not vulnerable to Log4J2? Please advise. thanks!ProductAffected VersionJasperReports Server7.5.x, 7.8.x, 7.9.x, 8.0.0 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now