[#13926] - Is Jaspersoft vulnerable to the Log4Shell 0-day exploit?

Posted by harold.aling on December 13, 2021 - 2:37am
Category:
Task
 Priority:
Urgent
 Status:
New
Project:
JasperReports® Server
 Severity:
Critical
 Resolution:
Open
Component: Reproducibility:
N/A
 Assigned to:
Subscribe
6

"On Thursday (December 9th), a 0-day exploit in the popular Java logging library log4j (version 2) was discovered that results in Remote Code Execution (RCE) by logging a certain string.

Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We're calling it "Log4Shell" for short."

https://www.lunasec.io/docs/blog/log4j-zero-day/

Are the Jaspersoft products vulnerable to this exploit?

harold.aling's picture
harold.aling
2
Joined: Dec 13 2021 - 2:31am
Last seen: 1 month 1 week ago

3 Comments:

#1Posted by mrwizard on December 13, 2021 - 7:28am

JRS 7.9.0 Build 20210909_1344

Uses log4j 2.13.3 (see jar in WEB-INF/lib/log4j-core-2.13.3.jar)
Confirmed vulnerable signature with https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector

Recommended steps:
1) Define -Dlog4j2.formatMsgNoLookups=true in your JVM

OR

2) Replace the log4j 2.13.3 jars with 2.15 which is patched

I do not work for JasperSoft - YMMV

#2Posted by mrwizard on December 13, 2021 - 8:27am

See also https://community.jaspersoft.com/questions/1190676/cve-2021-44228-log4j-...

#3Posted by ronaldverbeek on December 16, 2021 - 5:39am

log4j version 2.15 is vulnerable for denial of service attacks. There should be a version 2.16 since today that should fix this.

Feedback
randomness