log4j security vulnerability resolution on Jasper Server

[darth_fader]

Curious when TIBCO plans to address the log4j vulnerability for jasper server? Haven't seen anything in the community or the premium portal. We're running 7.5.x Enterprise, and resolving this should be as simple as upgrading log4j from the supplied 2.12.1 (vulnerable) to 2.15 (not vulnerable). But because it's an Enterprise license, we're waiting on an official patch. Any estimates? I haven't seen or heard anything from TIBCO about addressing this for Jasper, and it's been several days since fixes were released for other TIBCO products.

Four days of postings with no mention of Jasper:

https://www.tibco.com/services/support/public-notices

[jacquie.kelly]

Just in case you missed it, a mitigation document and patch have now been released - https://support.tibco.com/s/article/TIBCO-Jaspersoft-Mitigation-for-CVE-2021-44228-Log4Shell

[gustavofarias]

https://logging.apache.org/log4j/2.x/security.html

"It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations."

 

[darth_fader]

Jacquie did you receive a direct notification on that? An email or some notice in the premium portal? I didn't receive anything. Definitely didn't see it and they're not including that on their support public notices.

 

Thank you for sharing that solution!

[djohnson53]

darth_fader

You didn't look far enough down the page (https://www.tibco.com/services/support/public-notices)