is the jasperreportserver affected by the log4j vulnerabilty?
Please see https://community.jaspersoft.com/wiki/apache-log4j-vulnerability-update-....
CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.
Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
I am using JRS 6.4.0. According to this link https://community.jaspersoft.com/wiki/apache-log4j-vulnerability-update-..., only the following JRS versions are affected. Does this mean, lower versions are not vulnerable to Log4J2? Please advise. thanks!
7.5.x, 7.8.x, 7.9.x, 8.0.0
I've also added an issue in the tracker: https://community.jaspersoft.com/jasperreports-server/issues/13926
Do you mean the one under CVE-2021-44228 ? Another cummnity member opened a thread where it's discussed earlier at this link: CVE-2021-44228 log4j Vulnerability | Jaspersoft Community
AFAICS the answer is YES.
Why? Because I can see log4j-core-2.13.3.jar in the jasperserver/WEB-INF/lib/ folder