CVE-2021-44228 log4j Vulnerability

ashin's picture
67
Joined: Dec 10 2021 - 5:58pm
Last seen: 6 months 1 week ago

Yes, it seems but there is no clear procedure to upgrade the log4j version.

mohanreddy4 - 6 months 2 weeks ago
show 1 more...

8 Answers:

I was reading about it and we can mitigate as described at https://logging.apache.org/log4j/2.x/security.html

I suggest exporting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS setting to true at /etc/profile where it will be applied to all your users.

henrique.cezar's picture
Joined: Nov 18 2020 - 2:39pm
Last seen: 6 months 2 weeks ago

JRS 7.9.0 Build 20210909_1344

Uses log4j 2.13.3 (see jar in WEB-INF/lib/log4j-core-2.13.3.jar)
Confirmed vulnerable signature with https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector

Recommended steps:
1) Define -Dlog4j2.formatMsgNoLookups=true in your JVM

OR

2) Replace the log4j 2.13.3 jars with 2.15 which is patched

I do not work for JasperSoft - YMMV

mrwizard's picture
Joined: Apr 28 2008 - 10:13am
Last seen: 6 months 2 weeks ago

Hi there,
  I'm trying to do some tests on my environment, with a Jasper Report Server 7.5 already installed (Tomcat+Postgres+log4j 2.12.1), trying to upgrade log4j libraries.
The vulnerability seems to be placed in "log4j-core-2.12.1.jar", specifically in JndiLookup.class contained in the jar.
In my case I'm currently testing a simple replacement of jar files with the 2.15.0 fixed version (which has been declared be safe as of now - Dec 13th).

These are my changes:

log4j-core-2.12.1.jar ->       log4j-core-2.15.0.jar
log4j-api-2.12.1.jar ->        log4j-api-2.15.0.jar
log4j-1.2-api-2.12.1.jar ->    log4j-1.2-api-2.15.0.jar
log4j-slf4j-impl-2.12.1.jar -> log4j-slf4j-impl-2.15.0.jar
log4j-jcl-2.12.1.jar ->        log4j-jcl-2.15.0.jar
log4j-jul-2.12.1.jar ->        log4j-jul-2.15.0.jar
log4j-web-2.12.1.jar ->        log4j-web-2.15.0.jar

The change requires a Tomcat service stop and start to load the new library version.
In any case this is a self-made/not certified solution and - I'm pretty sure that a redeploy from Tomcat can override the changes.
Use all this stuff at your own risk - I do not work for JasperSoft

enrico.tafuro_1's picture
Joined: Feb 11 2020 - 6:23am
Last seen: 2 months 19 hours ago

 I have worked on a solution on a few servers runnings jasper server on version 7.5.0.

Basically i added  -Dlog4j2.formatMsgNoLookups=true to setEnv file on the apache-tomcat folder.

 

Furthermore, i set the env LOG4J_FORMAT_MSG_NO_LOOKUPS as the first awnser says.

Good luck.

vicenzo's picture
128
Joined: Sep 8 2020 - 10:53am
Last seen: 6 months 1 week ago

I've posted another question just to call this out directly (again) - 4 days of TIBCO working on resolutions, without so much as a mention of Jasper - not for community or enterprise. 

darth_fader's picture
Joined: Mar 7 2010 - 9:45pm
Last seen: 3 months 3 weeks ago
gustavofarias's picture
Joined: May 22 2012 - 7:10am
Last seen: 5 days 14 hours ago
djohnson53's picture
153394
Joined: May 25 2012 - 11:10am
Last seen: 4 months 3 weeks ago

And  on the support portal:

Which eventually takes you to https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update

 

djohnson53's picture
153394
Joined: May 25 2012 - 11:10am
Last seen: 4 months 3 weeks ago

@djohnson53 in the last page you linked to, the Jasper Server link points to an empty page.

Do you know what is the plan for updating the vulnerable installers provided on community.jaspersoft.com and on Sourceforge?

We are using the Docker image and Helm chart of Bitnami and there will be no fix to that until patched installers are available.

dupont.sebastien - 5 months 2 weeks ago

all the links work

djohnson53 - 5 months 2 weeks ago

They won't update previous versions of the installers on the community editions on source forge.  The fixes will be included in the next release.  v8.0 is out now. It will have all the security fixes. New issues will be addressed in future releases of the community editions.

The previous versions available there are for migration purposes only.  If you have paid support, you may have other options thru them.

djohnson53 - 5 months 2 weeks ago
show 1 more...

Thank you for the answer

The linked pages were not properly shown because of my adblocker blocking coveo.com

dupont.sebastien - 5 months 1 week ago
Feedback
randomness