Apache Log4j Security Vulnerabilities


is the jasperreportserver affected by the log4j vulnerabilty? 




david.ecker's picture
Joined: Oct 17 2019 - 11:26pm
Last seen: 1 year 5 months ago
harold.aling - 1 year 5 months ago

Do you mean the one under CVE-2021-44228 ?  Another cummnity member opened a thread where it's discussed earlier at this link:  CVE-2021-44228 log4j Vulnerability | Jaspersoft Community

matthew.hinton - 1 year 5 months ago

AFAICS the answer is YES.

Why? Because I can see log4j-core-2.13.3.jar in the jasperserver/WEB-INF/lib/ folder

andrew_50 - 1 year 5 months ago

3 Answers:

jpadre's picture
Joined: Feb 5 2020 - 10:24am
Last seen: 1 week 6 days ago


CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.

Severity: Moderate

Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

Source: https://logging.apache.org/log4j/2.x/security.html

gustavofarias's picture
Joined: May 22 2012 - 7:10am
Last seen: 3 weeks 1 day ago

I am using JRS 6.4.0. According to this link https://community.jaspersoft.com/wiki/apache-log4j-vulnerability-update-..., only the following JRS versions are affected. Does this mean, lower versions are not vulnerable to Log4J2? Please advise. thanks!


Affected Version

JasperReports Server

7.5.x, 7.8.x, 7.9.x, 8.0.0


noel_c_cadiz's picture
Joined: Sep 7 2021 - 1:25am
Last seen: 1 year 5 months ago