I was reading about it and we can mitigate as described at https://logging.apache.org/log4j/2.x/security.html
I suggest exporting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS setting to true at /etc/profile where it will be applied to all your users.
JRS 7.9.0 Build 20210909_1344
Uses log4j 2.13.3 (see jar in WEB-INF/lib/log4j-core-2.13.3.jar)
Confirmed vulnerable signature with https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector
1) Define -Dlog4j2.formatMsgNoLookups=true in your JVM
2) Replace the log4j 2.13.3 jars with 2.15 which is patched
I do not work for JasperSoft - YMMV
I'm trying to do some tests on my environment, with a Jasper Report Server 7.5 already installed (Tomcat+Postgres+log4j 2.12.1), trying to upgrade log4j libraries.
The vulnerability seems to be placed in "log4j-core-2.12.1.jar", specifically in JndiLookup.class contained in the jar.
In my case I'm currently testing a simple replacement of jar files with the 2.15.0 fixed version (which has been declared be safe as of now - Dec 13th).
These are my changes:
log4j-core-2.12.1.jar -> log4j-core-2.15.0.jar
log4j-api-2.12.1.jar -> log4j-api-2.15.0.jar
log4j-1.2-api-2.12.1.jar -> log4j-1.2-api-2.15.0.jar
log4j-slf4j-impl-2.12.1.jar -> log4j-slf4j-impl-2.15.0.jar
log4j-jcl-2.12.1.jar -> log4j-jcl-2.15.0.jar
log4j-jul-2.12.1.jar -> log4j-jul-2.15.0.jar
log4j-web-2.12.1.jar -> log4j-web-2.15.0.jar
The change requires a Tomcat service stop and start to load the new library version.
In any case this is a self-made/not certified solution and - I'm pretty sure that a redeploy from Tomcat can override the changes.
Use all this stuff at your own risk - I do not work for JasperSoft
I have worked on a solution on a few servers runnings jasper server on version 7.5.0.
Basically i added -Dlog4j2.formatMsgNoLookups=true to setEnv file on the apache-tomcat folder.
Furthermore, i set the env LOG4J_FORMAT_MSG_NO_LOOKUPS as the first awnser says.