8 Answers:
I was reading about it and we can mitigate as described at https://logging.apache.org/log4j/2.x/security.html
I suggest exporting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS setting to true at /etc/profile where it will be applied to all your users.
JRS 7.9.0 Build 20210909_1344
Uses log4j 2.13.3 (see jar in WEB-INF/lib/log4j-core-2.13.3.jar)
Confirmed vulnerable signature with https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector
Recommended steps:
1) Define -Dlog4j2.formatMsgNoLookups=true in your JVM
OR
2) Replace the log4j 2.13.3 jars with 2.15 which is patched
I do not work for JasperSoft - YMMV
Hi there,
I'm trying to do some tests on my environment, with a Jasper Report Server 7.5 already installed (Tomcat+Postgres+log4j 2.12.1), trying to upgrade log4j libraries.
The vulnerability seems to be placed in "log4j-core-2.12.1.jar", specifically in JndiLookup.class contained in the jar.
In my case I'm currently testing a simple replacement of jar files with the 2.15.0 fixed version (which has been declared be safe as of now - Dec 13th).
These are my changes:
log4j-core-2.12.1.jar -> log4j-core-2.15.0.jar
log4j-api-2.12.1.jar -> log4j-api-2.15.0.jar
log4j-1.2-api-2.12.1.jar -> log4j-1.2-api-2.15.0.jar
log4j-slf4j-impl-2.12.1.jar -> log4j-slf4j-impl-2.15.0.jar
log4j-jcl-2.12.1.jar -> log4j-jcl-2.15.0.jar
log4j-jul-2.12.1.jar -> log4j-jul-2.15.0.jar
log4j-web-2.12.1.jar -> log4j-web-2.15.0.jar
The change requires a Tomcat service stop and start to load the new library version.
In any case this is a self-made/not certified solution and - I'm pretty sure that a redeploy from Tomcat can override the changes.
Use all this stuff at your own risk - I do not work for JasperSoft
I have worked on a solution on a few servers runnings jasper server on version 7.5.0.
Basically i added -Dlog4j2.formatMsgNoLookups=true to setEnv file on the apache-tomcat folder.
Furthermore, i set the env LOG4J_FORMAT_MSG_NO_LOOKUPS as the first awnser says.
Good luck.
You didn't look far enough down the page (https://www.tibco.com/services/support/public-notices > https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update)
And on the support portal:
Which eventually takes you to https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update
@djohnson53 in the last page you linked to, the Jasper Server link points to an empty page.
Do you know what is the plan for updating the vulnerable installers provided on community.jaspersoft.com and on Sourceforge?
We are using the Docker image and Helm chart of Bitnami and there will be no fix to that until patched installers are available.
Yes, it seems but there is no clear procedure to upgrade the log4j version.
(https://www.tibco.com/services/support/public-notices > https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update)
Hot Fixes available 3/4 down the page.
Also: https://community.jaspersoft.com/wiki/apache-log4j-vulnerability-update-jaspersoft-products
Another important link: https://support.tibco.com/s/article/TIBCO-Jaspersoft-Mitigation-for-CVE-2021-44228-Log4Shell