[#13926] - Is Jaspersoft vulnerable to the Log4Shell 0-day exploit?

Category:
Task
Priority:
Urgent
Status:
New
Project: Severity:
Critical
Resolution:
Open
Component: Reproducibility:
N/A
Assigned to:
6

"On Thursday (December 9th), a 0-day exploit in the popular Java logging library log4j (version 2) was discovered that results in Remote Code Execution (RCE) by logging a certain string.

Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We're calling it "Log4Shell" for short."

https://www.lunasec.io/docs/blog/log4j-zero-day/

Are the Jaspersoft products vulnerable to this exploit?

harold.aling's picture
Joined: Dec 13 2021 - 2:31am
Last seen: 1 month 1 week ago

3 Comments:

#1

JRS 7.9.0 Build 20210909_1344

Uses log4j 2.13.3 (see jar in WEB-INF/lib/log4j-core-2.13.3.jar)
Confirmed vulnerable signature with https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector

Recommended steps:
1) Define -Dlog4j2.formatMsgNoLookups=true in your JVM

OR

2) Replace the log4j 2.13.3 jars with 2.15 which is patched

I do not work for JasperSoft - YMMV

#3

log4j version 2.15 is vulnerable for denial of service attacks. There should be a version 2.16 since today that should fix this.

Feedback
randomness