I was reading about it and we can mitigate as described at https://logging.apache.org/log4j/2.x/security.html
I suggest exporting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS setting to true at /etc/profile where it will be applied to all your users.
JRS 7.9.0 Build 20210909_1344
Uses log4j 2.13.3 (see jar in WEB-INF/lib/log4j-core-2.13.3.jar)
Confirmed vulnerable signature with https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector
1) Define -Dlog4j2.formatMsgNoLookups=true in your JVM
2) Replace the log4j 2.13.3 jars with 2.15 which is patched
I do not work for JasperSoft - YMMV
I'm trying to do some tests on my environment, with a Jasper Report Server 7.5 already installed (Tomcat+Postgres+log4j 2.12.1), trying to upgrade log4j libraries.
The vulnerability seems to be placed in "log4j-core-2.12.1.jar", specifically in JndiLookup.class contained in the jar.
In my case I'm currently testing a simple replacement of jar files with the 2.15.0 fixed version (which has been declared be safe as of now - Dec 13th).
These are my changes:
log4j-core-2.12.1.jar -> log4j-core-2.15.0.jar
log4j-api-2.12.1.jar -> log4j-api-2.15.0.jar
log4j-1.2-api-2.12.1.jar -> log4j-1.2-api-2.15.0.jar
log4j-slf4j-impl-2.12.1.jar -> log4j-slf4j-impl-2.15.0.jar
log4j-jcl-2.12.1.jar -> log4j-jcl-2.15.0.jar
log4j-jul-2.12.1.jar -> log4j-jul-2.15.0.jar
log4j-web-2.12.1.jar -> log4j-web-2.15.0.jar
The change requires a Tomcat service stop and start to load the new library version.
In any case this is a self-made/not certified solution and - I'm pretty sure that a redeploy from Tomcat can override the changes.
Use all this stuff at your own risk - I do not work for JasperSoft
I have worked on a solution on a few servers runnings jasper server on version 7.5.0.
Basically i added -Dlog4j2.formatMsgNoLookups=true to setEnv file on the apache-tomcat folder.
Furthermore, i set the env LOG4J_FORMAT_MSG_NO_LOOKUPS as the first awnser says.
I've posted another question just to call this out directly (again) - 4 days of TIBCO working on resolutions, without so much as a mention of Jasper - not for community or enterprise.
You didn't look far enough down the page (https://www.tibco.com/services/support/public-notices > https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update)
And on the support portal:
Which eventually takes you to https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update
@djohnson53 in the last page you linked to, the Jasper Server link points to an empty page.
Do you know what is the plan for updating the vulnerable installers provided on community.jaspersoft.com and on Sourceforge?
We are using the Docker image and Helm chart of Bitnami and there will be no fix to that until patched installers are available.
Thank you for the answer
The linked pages were not properly shown because of my adblocker blocking coveo.com
Yes, it seems but there is no clear procedure to upgrade the log4j version.
(https://www.tibco.com/services/support/public-notices > https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update)
Hot Fixes available 3/4 down the page.
Another important link: https://support.tibco.com/s/article/TIBCO-Jaspersoft-Mitigation-for-CVE-2021-44228-Log4Shell