Hi,
is the jasperreportserver affected by the log4j vulnerabilty?
https://logging.apache.org/log4j/2.x/security.html
Thanks,
David
3 Answers:
Hi David,
Please see https://community.jaspersoft.com/wiki/apache-log4j-vulnerability-update-....
Best regards,
Joe
CVE-2021-45046
CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.
Severity: Moderate
Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
I am using JRS 6.4.0. According to this link https://community.jaspersoft.com/wiki/apache-log4j-vulnerability-update-..., only the following JRS versions are affected. Does this mean, lower versions are not vulnerable to Log4J2? Please advise. thanks!
Product |
Affected Version |
JasperReports Server |
7.5.x, 7.8.x, 7.9.x, 8.0.0 |
I've also added an issue in the tracker: https://community.jaspersoft.com/jasperreports-server/issues/13926
Do you mean the one under CVE-2021-44228 ? Another cummnity member opened a thread where it's discussed earlier at this link: CVE-2021-44228 log4j Vulnerability | Jaspersoft Community
AFAICS the answer is YES.
Why? Because I can see log4j-core-2.13.3.jar in the jasperserver/WEB-INF/lib/ folder