Category: | Task |
Priority: | Urgent |
Status: | New |
Project: | Severity: | Critical |
Resolution: | Open |
|
Component: | Reproducibility: | N/A |
Assigned to: |
"On Thursday (December 9th), a 0-day exploit in the popular Java logging library log4j (version 2) was discovered that results in Remote Code Execution (RCE) by logging a certain string.
Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We're calling it "Log4Shell" for short."
https://www.lunasec.io/docs/blog/log4j-zero-day/
Are the Jaspersoft products vulnerable to this exploit?
4 Comments:
JRS 7.9.0 Build 20210909_1344
Uses log4j 2.13.3 (see jar in WEB-INF/lib/log4j-core-2.13.3.jar)
Confirmed vulnerable signature with https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector
Recommended steps:
1) Define -Dlog4j2.formatMsgNoLookups=true in your JVM
OR
2) Replace the log4j 2.13.3 jars with 2.15 which is patched
I do not work for JasperSoft - YMMV
See also https://community.jaspersoft.com/questions/1190676/cve-2021-44228-log4j-...
log4j version 2.15 is vulnerable for denial of service attacks. There should be a version 2.16 since today that should fix this.
What is the predicted fix for this vulnerability?