Jump to content
Changes to the Jaspersoft community edition download ×
  • Apache Log4j Vulnerability Update for Jaspersoft Products


    jpadre
    • Features: JasperReports Server Product: Jasper Deployment

    Summary

    Important Note: We will keep this page updated as more information becomes available.

    TIBCO is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message.

    Impact: arbitrary code execution as the user the parent process is running as (code fetched from the public Internet, or lolbins already present on the system, or just fetching shared secrets or environment variables and returning them to the attacker). 

    Targets: All Jaspersoft Products and also log anything using the log4j framework - primarily a server-side concern, but any vulnerable endpoint could be a target or a pivot point.

    The sections below describe the affected products and versions, as well as how to mitigate the Log4j vulnerability.

    [toc]

     

    TIBCO Jaspersoft products/versions with vulnerable Log4j code:

    Product

    Affected Versions

    JasperReports Server

    7.5.x, 7.8.x, 7.9.x, 8.0.0

    JasperReports Server Community Edition

    7.5.x, 7.8.x, 8.0.0

    JasperReports IO Pro

    1.3.0, 2.0.0, 3.0.0

    JasperReports IO At-Scale

    2.0.0, 3.0.0

    Jaspersoft Studio Pro

    7.3.x, 7.5.x, 7.8.x, 7.9.x, 8.0.0

    Scalable Query Engine

    8.0.0

    Third-party drivers with vulnerable libraries (instructions for manually removing these libraries are provided in the next section):

    Product/Version

    Drivers/Affected JAR Files
    JasperReports Server 8.0.0

    Neo4j: neo4j-jdbc42-1.0.8.1009.jar

    Spark: spark-jdbc42-2.6.18.1023.jar

    Impala: impala-jdbc42-2.6.21.1025.jar

    JasperReports Server 7.9.x

    Neo4j: neo4j-jdbc42-1.0.2.1002.jar

    Spark: spark-jdbc42-2.6.16.1020.jar

    Impala: impala-jdbc42-2.6.18.1021.jar

    JasperReports Server 7.8.x

    Neo4j: neo4j-jdbc42-1.0.2.1002.jar

    Spark: spark-jdbc42-2.6.10.1013.jar

    Impala: impala-jdbc42-2.6.15.1017.jar

    JasperReports Server 7.5.0

    Spark: spark-jdbc42-2.6.10.1013.jar

    Impala: impala-jdbc42-2.6.15.1017.jar

    Important Note: The following JDBC datasources will stop working when these drivers are removed:

    • Neo4j
    • SparkSQL
    • Impala

    For additional information on Neo4j CVE mitigation, see https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j/48856.

    Products Not Affected

    The following Jaspersoft products are not affected by the Apache Log4J vulnerability:

    • JasperReports Library Pro*

    • JasperReports Library Community Edition*

    *For these Jaspersoft products, customers are responsible for updating libraries for their applications. 


    Resolution for JasperReports Server

    To disable the compromised functionality for JasperReports Server, perform the following steps:

    Note that updating the JARs should not have any impact on Jaspersoft product functionality. TIBCO will update this information if there is any impact.

    1. Stop the application server.

    2. Find the root web application folder

      (for example: c:apache-tomcatwebappsjasperserver-pro*.*).

    3. Delete the following files from the library folder

      (for example: c:apache-tomcatwebappsjasperserver-proWEB-INFlib)

      log4j-api-2.13.3.jar           log4j-core-2.13.3.jar
      log4j-jcl-2.13.3.jar           log4j-jul-2.13.3.jar
      log4j-slf4j-impl-2.13.3.jar    log4j-web-2.13.3.jar
      log4j-1.2-api-2.13.3.jar
      

      For JRS 8.0.x, also delete:

      neo4j-jdbc42-1.0.8.1009.jar
      spark-jdbc42-2.6.18.1023.jar
      impala-jdbc42-2.6.21.1025.jar

      For JRS 7.9.x, also delete: 

      neo4j-jdbc42-1.0.2.1002.jar
      spark-jdbc42-2.6.16.1020.jar
      impala-jdbc42-2.6.18.1021.jar

      For JRS 7.8.x, also delete:

      neo4j-jdbc42-1.0.2.1002.jar
      spark-jdbc42-2.6.10.1013.jar
      impala-jdbc42-2.6.15.1017.jar

      For JRS 7.5.x, also delete: 

      spark-jdbc42-2.6.10.1013.jar
      impala-jdbc42-2.6.15.1017.jar
      

      Notes:

      • The files listed above are applicable to JRS version 7.8.1, 7.9.1, and 8.0.0. JRS 7.5.2 has a different version of Log4j, (2.12.1).

      • For JBoss EAP 7.2.0, the location of log4j files is:

        ../jboss-eap-7.2/standalone/deployments/jasperserver-pro.war/WEB-INF/lib

      • For Wildfly 18/19, the location of log4j files is:

        ../standalone/deployments/jasperserver-pro.war/WEB-INF/lib

    4. Add the following files (Jar download location is also provided):

    5. For JBoss and Wildfly application servers, change the reference of Log4j jar versions from 2.13.3 to 2.17.1 in jboss-deployment-structure.xml.

      Example JBoss file location:

      C:jbossstandalonedeploymentsjasperserver-pro.warMETA-INF

      Example Wildfly file location:

      C:wildfly1910standalonedeploymentsjasperserver-pro.warMETA-INF

      Old references will be:

      <resource-root path="WEB-INF/lib/log4j-web-2.13.3.jar"        use-physical-code-source="true"/>
      <resource-root path="WEB-INF/lib/log4j-slf4j-impl-2.13.3.jar" use-physical-code-source="true"/>
      <resource-root path="WEB-INF/lib/log4j-jul-2.13.3.jar"        use-physical-code-source="true"/>
      <resource-root path="WEB-INF/lib/log4j-jcl-2.13.3.jar"        use-physical-code-source="true"/>
      <resource-root path="WEB-INF/lib/log4j-core-2.13.3.jar"       use-physical-code-source="true"/>
      <resource-root path="WEB-INF/lib/log4j-api-2.13.3.jar"        use-physical-code-source="true"/>
      <resource-root path="WEB-INF/lib/log4j-1.2-api-2.13.3.jar"    use-physical-code-source="true"/>
      

      New references should be:

      <resource-root path="WEB-INF/lib/log4j-web-2.17.1.jar"        use-physical-code-source="true"/>
      <resource-root path="WEB-INF/lib/log4j-slf4j-impl-2.17.1.jar" use-physical-code-source="true"/>
      <resource-root path="WEB-INF/lib/log4j-jul-2.17.1.jar"        use-physical-code-source="true"/>
      <resource-root path="WEB-INF/lib/log4j-jcl-2.17.1.jar"        use-physical-code-source="true"/>
      <resource-root path="WEB-INF/lib/log4j-core-2.17.1.jar"       use-physical-code-source="true"/>
      <resource-root path="WEB-INF/lib/log4j-api-2.17.1.jar"        use-physical-code-source="true"/>
      <resource-root path="WEB-INF/lib/log4j-1.2-api-2.17.1.jar"    use-physical-code-source="true"/>
      
    6. Start the application server.


    AWS Marketplace and QuickStart deployment

    1. ssh into the running instance.

    2. Locate the application server under /var/lib/tomcat/ and follow Tomcat steps above . Find jars under /var/lib/tomcat/webapps/jasperserver-pro/WEB-INF/lib.

      Note: For JRS 7.5.2, the directory is:

      /var/lib/tomcat8/webapps/jasperserver-pro/WEB-INF/lib.


    WebLogic and WebSphere

    Deploying from the Administrative Console

    Deploying from the Administrative Console requires changes to the original war file. Perform the following steps to patch the war file for any Application Servers.

    1. Find originally deployed war file.

    2. Using the Java jar tool or an unzip tool, unpack the jasperserver-pro.war file. For example, enter these commands to use the Java jar tool:

      mkdir jasperserver-pro 
      cd jasperserver-pro 
      "%JAVA_HOME%/bin/jar" xvf ../jasperserver-pro.war
      
    3. Delete JARs to avoid conflict with WebLogic JARs:

      1. Go to the WEB-INF/lib directory: cd jasperserver-pro/WEB-INF/lib.

      2. Delete the following conflicting JARs:

        log4j-api-2.13.3.jar           log4j-core-2.13.3.jar 
        log4j-jcl-2.13.3.jar           log4j-jul-2.13.3.jar 
        log4j-slf4j-impl-2.13.3.jar    log4j-web-2.13.3.jar
        log4j-1.2-api-2.13.3.jar
        

        For JRS 8.0.x, also delete:

        neo4j-jdbc42-1.0.8.1009.jar
        spark-jdbc42-2.6.18.1023.jar
        impala-jdbc42-2.6.21.1025.jar

        For JRS 7.9.x, also delete: 

        neo4j-jdbc42-1.0.2.1002.jar
        spark-jdbc42-2.6.16.1020.jar
        impala-jdbc42-2.6.18.1021.jar

        For JRS 7.8.0, also delete:

        neo4j-jdbc42-1.0.2.1002.jar
        spark-jdbc42-2.6.10.1013.jar
        impala-jdbc42-2.6.15.1017.jar

        For JRS 7.5.0, also delete: 

        spark-jdbc42-2.6.10.1013.jar
        impala-jdbc42-2.6.15.1017.jar
        

        Notes: The files listed above are applicable to JRS version 7.8.1, 7.9.1, and 8.0.0. JRS 7.5.2 has a different version of Log4j, (2.12.1).

    4. Add the following files (Jar download location is also provided)

    5. Repackage the jasperserver-pro.war file, using commands such as the following:

      cd ../.. 
      mv ../jasperserver-pro.war ../BAK-jasperserver-pro.war 
      "%JAVA_HOME%/bin/jar" cvf ../jasperserver-pro.war 
      cd ..
      mv jasperserver-pro BAK-jasperserver-pro
      

    Deploying the JasperReports Server WAR file in WebLogic

    To deploy the JasperReports Server WAR file in WebLogic (based on Install Guide):

    1. Enable the Lock & Edit button:

      1. Select the Preferences link at the top of the Admin console.

      2. Scroll to the bottom of the User Preferences screen and deselect Automatically Acquire Lock and Activate Changes.

      3. Save.

    2. In the Administrative Console, click the Lock & Edit button and navigate to Deployments.

    3. On the Deployments page, click the Install button.

    4. Select the path to <js-install>. Click Next.

    5. Leave the radio button selected for Install this deployment as an application. Click Next.

    6. When prompted, enter the following parameter values:

      1. Name: jasperserver-pro

      2. Security: Roles and Policies

      3. Source accessibility: Use the defaults defined by the deployment's targets

    7. Review your choices and click Save.


    Redeploying the JasperReports Server WAR file in WebSphere

    To redeploy the JasperReports Server WAR file in WebSphere (based on Install Guide):

    1. In the Administrative Console, navigate to Applications > New Application and select New Enterprise Application. (JasperReports Server is a modern application, based on Java Servlet version 2.4, so you do not select the older, WebSphere V4 compliant application type.)

    2. Browse to <js-install>/jasperserver-pro.war on the local file system. Keep the default setting (Fast path) selected and click Next.

    3. On the Select installation options page, accept all the default settings and click Next.

    4. On the Map modules to servers page, make sure the JasperReports Server module is mapped to the cell, node, and server that you want. Click Next.

    5. On the Map modules to servers page, select jasperserver. Click Next.

    6. On the Map resource references to resources page, map the resources you want:

      1. First, select the Browse button under the jdbc/jasperserver resource. In the page that opens, select the jdbc/jasperserver radio button, and click Apply. Then select the check box next to the jdbc/jasperserver resource.

      2. If you plan to run the sample reports, follow the same steps for jdbc/surgarcrm and jdbc/foodmart, making sure to select the correct radio button for each one.

      3. When you have mapped all resources, select the check boxes next to every resource that has been mapped.

      4. Click Next.

    7. On the Map virtual hosts page, choose the JasperServer UI application module. Click Next.

    8. In the Map context roots for Web modules, enter jasperserver-pro.

    9. Click Next, review the summary information and start the installation process. (The installation process may take a while.)

    10. Click Save directly to the master configuration.


    Modifying the deployment directly for WebLogic:

    1. Stop the application server.

    2. Switch to the directory where the old log4j jar files are located.

      For example:

      /opt/Oracle/Middleware/Oracle_Home/domains/jasper_domain/servers/myserver/tmp/_WL_user/jasperserver-pro/jjb30p/war/WEB-INF/lib

    3. Delete the old log4j*2.13.3.jar files.

      Note: The file listed above is applicable to JRS version 7.8.1, 7.9.1, and 8.0.0. JRS 7.5.2 has a different version of Log4j, (2.12.1).

    4. Place the new log4j*2.17.1.jar files into the same directory.

    5. Restart the application server.


    Modifying the deployment directly for WebSphere:

    1. Stop the application server.

    2. Switch to the directory where the old log4j jar files are located.

      For example: /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/<node_cell_dir>/jasperserver-pro_war.ear/jasperserver-pro.war/WEB-INF/lib

    3. Delete the old log4j*2.13.3.jar files. Note: The file listed here is applicable to JRS version 7.8.1, 7.9.1, and 8.0.0. JRS 7.5.2 has a different version of Log4j, (2.12.1).

    4. Place the new log4j*2.17.1.jar files into the same directory.
    5. Restart application server.


    AWS Cluster Deployment Fix

    For JRS 7.8.0-HF2 and JRS 7.9.1
    1. Download and copy the log4j_aws_fix.sh (available in the Attachments section at the end of this article) to the Amazon S3 JasperReports customization bucket under the webapps/jasperserver-pro/WEB-INF folder.

      Note: The S3 bucket referred to here is generated when you generate the stack/instance. The S3 bucket name is available in the Cloud Formation Stack output tab. You can search the S3 buckets by date, to see when the latest S3 buckets were generated.  

    2. Update the CloudFormation Template (CFT) with the following changes under the AWS::CloudFormation::Init section of LaunchConfig:

      "4-log4jFix": {
          "cwd"     : "/var/lib/tomcat/webapps/jasperserver-pro/WEB-INF/",
          "command" : { "Fn::Join" : [" ", 
                                      ["sudo systemctl stop tomcat && chmod +x log4j_aws_fix.sh && ./log4j_aws_fix.sh && systemctl start tomcat"]
                                     ]
                      },
          "failOnError" : "true"
      
    3. Under the Restart section, add the 4-log4jFix to the commands list. For example:

      "commands" : ["2-pullCustomizations","3-enableCluster","4-log4jFix"]
      
    4. Update the CloudFormation stack with the updated changes by uploading the new template.

    5. Restart the already running instances.

    For JRS 7.5.2, 7.9.1 or JRS 7.8.0 HF2, the directory to check is:

    /var/lib/tomcat/webapps/jasperserver-pro/WEB-INF/libs

    For JRS 7.5.1
    1. Download and copy the log4j_aws_750_fix.sh (available in the Attachments section at the end of this article) to the Amazon S3 JasperReports customization bucket under the webapps/jasperserver-pro/WEB-INF folder.

    2. Update the CloudFormation Template (CFT) with the following changes under the AWS::CloudFormation::Init section of LaunchConfig:

      "4-log4jFix": {
          "cwd"        : "/var/lib/tomcat8/webapps/jasperserver-pro/WEB-INF/",
          "command"    : { "Fn::Join":
                               [" ", 
                                ["sudo service tomcat8 stop && chmod +x log4j_aws_750_fix.sh && ./log4j_aws_750_fix.sh && service  tomcat8 start"]
                               ]
                         },
          "failOnError": "true"
    3. Under the Restart section, add the 4-log4jFix to the commands list. For example:

      "commands" : ["2-pullCustomizations","3-enableCluster","4-log4jFix"]
      
    4. Update the CloudFormation stack with the updated changes by uploading the new template.

    5. Restart the already running instances.

    Note: To upgrade log4j from v2.16 or any other version to v2.17.1, run the following command on the instance to get the current version of log4j:

    ls -l /usr/share/tomcat/webapps/jasperserver-pro/WEB-INF/lib/log4j-*

    Then update log4j_aws_fix.sh or log4j_aws_750_fix.sh to remove those jars. After that, you could perform all the steps above.


    Resolution for JasperReports IO Professional

    Version 1.3.0

    1. Stop JRIO application.

    2. Remove the following files from the [JRIO_PRO]/jrio/webapps/jrio/WEB-INF/lib folder:

      log4j-api-2.8.2.jar    log4j-core-2.8.2.jar
      log4j-jcl-2.8.2.jar    log4j-jul-2.8.2.jar
      
    3. Add the following files to the [JRIO_PRO]/jrio/webapps/jrio/WEB-INF/lib folder:

      log4j-api-2.17.0.jar    log4j-core-2.17.0.jar
      log4j-jcl-2.17.0.jar    log4j-jul-2.17.0.jar
      

      Start JRIO application.

    Version 2.0.0

    1. Start JRIO application.

    2. Remove the following files from the [JRIO_PRO]/jrio/webapps/jrio/WEB-INF/lib folder:

      log4j-api-2.8.2.jar        log4j-core-2.8.2.jar
      log4j-jcl-2.8.2.jar        log4j-jul-2.8.2.jar
      log4j-slf4j-impl-2.8.2.jar
      
    3. Add the following files to the [JRIO_PRO]/jrio/webapps/jrio/WEB-INF/lib folder:

      log4j-api-2.17.0.jar        log4j-core-2.17.0.jar
      log4j-jcl-2.17.0.jar        log4j-jul-2.17.0.jar
      log4j-slf4j-impl-2.17.0.jar
      
    4. Start JRIO application.

    Version 3.0.0

    1. Stop JRIO application.

    2. Remove the following files from the [JRIO_PRO]/jrio/webapps/jrio/WEB-INF/lib folder:

      log4j-api-2.14.0.jar        log4j-core-2.14.0.jar
      log4j-jcl-2.14.0.jar        log4j-jul-2.14.0.jar
      log4j-slf4j-impl-2.14.0.jar
      
    3. Add the following files to the [JRIO_PRO]/jrio/webapps/jrio/WEB-INF/lib folder:

      log4j-api-2.17.0.jar       log4j-core-2.17.0.jar
      log4j-jcl-2.17.0.jar       log4j-jul-2.17.0.jar
      log4j-slf4j-impl-2.17.0.jar
      
    4. Start JRIO application.


    Resolution for Jaspersoft Studio Professional

    Version 7.5.0 and Version 7.8.0

    1. Close JSS application.

    2. Remove the following files from the [JSS_PRO]/jrio/jrio/WEB-INF/lib folder:

      log4j-api-2.8.2.jar  log4j-core-2.8.2.jar
      log4j-jcl-2.8.2.jar  log4j-jul-2.8.2.jar
      
    3. Add the following files to the [JSS_PRO]/jrio/jrio/WEB-INF/lib folder:

      log4j-api-2.17.1.jar  log4j-core-2.17.1.jar
      log4j-jcl-2.17.1.jar  log4j-jul-2.17.1.jar
      
    4. Open JSS application.

    Version 7.9.0

    1. Close JSS application.

    2. Remove the following files from the [JSS_PRO]/jrio/jrio/WEB-INF/lib folder:

      log4j-api-2.8.2.jar        log4j-core-2.8.2.jar
      log4j-jcl-2.8.2.jar        log4j-jul-2.8.2.jar
      log4j-slf4j-impl-2.8.2.jar
      
    3. Add the following files to the [JSS_PRO]/jrio/jrio/WEB-INF/lib folder:

      log4j-api-2.17.1.jar       log4j-core-2.17.1.jar
      log4j-jcl-2.17.1.jar       log4j-jul-2.17.1.jar
      log4j-slf4j-impl-2.17.1.jar
      
    4. Open JSS application.

    Version 8.0.0

    1. Close JSS application.

    2. Remove the following files from the [JSS_PRO]/jrio/jrio/WEB-INF/lib folder:

      log4j-api-2.14.0.jar       log4j-core-2.14.0.jar
      log4j-jcl-2.14.0.jar       log4j-jul-2.14.0.jar
      log4j-slf4j-impl-2.14.0.jar
      
    3. Add the following files to the [JSS_PRO]/jrio/jrio/WEB-INF/lib folder:

      log4j-api-2.17.1.jar       log4j-core-2.17.1.jar
      log4j-jcl-2.17.1.jar       log4j-jul-2.17.1.jar
      log4j-slf4j-impl-2.17.1.jar
      
    4. Open JSS application.

    Scalable Query Engine

    1. Locate distribution root folder:

      cd <js-install>
      
    2. Unpack index file:

      "%JAVA_HOME%/bin/jar" xf scalable-query-engine-8.0.0.jar BOOT-INF/classpath.idx
      
    3. Delete old version of log4j:

      zip -d scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-slf4j-impl-2.14.1.jar
      zip -d scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-core-2.14.1.jar
      zip -d scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-api-2.14.1.jar
      zip -d scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-1.2-api-2.14.1.jar
      zip -d scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-jcl-2.14.1.jar
      zip -d scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-layout-template-json-2.14.1.jar
      zip -d scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-kubernetes-2.14.1.jar
      zip -d scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-docker-2.14.1.jar
      zip -d scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-spring-boot-2.14.1.jar
      zip -d scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-jul-2.14.1.jar
      
    4. Create folder BOOT-INF/lib and put all new versions of log4j there.

    5. Add new versions of log4j to the jar:

      "%JAVA_HOME%\bin\jar" uf scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-core-2.17.1.jar
      "%JAVA_HOME%\bin\jar" uf scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-slf4j-impl-2.17.1.jar
      "%JAVA_HOME%\bin\jar" uf scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-core-2.17.1.jar
      "%JAVA_HOME%\bin\jar" uf scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-api-2.17.1.jar
      "%JAVA_HOME%\bin\jar" uf scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-1.2-api-2.17.1.jar
      "%JAVA_HOME%\bin\jar" uf scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-jcl-2.17.1.jar
      "%JAVA_HOME%\bin\jar" uf scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-layout-template-json-2.17.1.jar
      "%JAVA_HOME%\bin\jar" uf scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-kubernetes-2.17.1.jar
      "%JAVA_HOME%\bin\jar" uf scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-docker-2.17.1.jar
      "%JAVA_HOME%\bin\jar" uf scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-spring-boot-2.17.1.jar
      "%JAVA_HOME%\bin\jar" uf scalable-query-engine-8.0.0.jar BOOT-INF/lib/log4j-jul-2.17.1.jar
      
    6. Update BOOT-INF/classpath.idx entries that starts from `- "BOOT-INF/lib/log4j-` with new file names version.

    7. Add updated BOOT-INF/classpath.idx to the jar:

      "%JAVA_HOME%\bin\jar" uf scalable-query-engine-8.0.0.jar BOOT-INF/classpath.idx
      

    Available Hotfixes

    Hotfixes are available for the following products and versions. Please note that these hotfixes are only available to TIBCO customers and users with Support Portal access.


    References

    Document History

    • Version 8.0 (March 8, 2022): Updated Log4j jar file versions from 2.17.0 to 2.17.1.
    • Version 7.0 (January 7, 2022): Updated information for JRS 7.9.1 and JRS 7.8.0 HF2.
    • Version 6.0 (December 23, 2021): Updated Log4j jar file versions from 2.16.0 to 2.17.0.
    • Version 5.0 (December 20, 2021): Added list and instructions for additional third-party drivers (Neo4j, Spark, Impala) that need to be manually deleted from 8.0.0,  7.9.0, 7.8.0, and 7.5.0.
    • Version 4.0 (December 17, 2021): Added JSS Pro, JRIO Pro, and JRIO At-Scale hotfix links.
    • Version 3.2 (December 16, 2021): Added log4j sh script files.
    • Version 3.1 (December 15, 2021): Minor edits to AWS Cluster Deployment Fix section.
    • Version 3.0 (December 15, 2021): Added AWS Cluster Deployment Fix, updated Log4j jar file versions from 2.15.0 to 2.16.0; moved JasperReports Library Pro and JasperReports Library Community Edition to Products Not Affected list; updated Available Hotfix links.
    • Version 2.0 (December 14, 2021) Added Available Hotfix links.
    • Version 1.0 (December 13, 2021): Initial version.

    log4j_aws_fix.sh

    log4j_aws_750_fix.sh

    log4j_aws-sh.zip

    log4j_aws-sh_0.zip

    log4j_aws-sh_1.zip


    User Feedback

    Recommended Comments

    The Jaspersoft Studio Community Edition does not have the JasperReports IO plugin so it does not expose any of the known Log4j vulnerabilities that we try to address with these upgrades.

    Link to comment
    Share on other sites

    Thanks for your reply. I was just wondering because I found in the plugins folder "org.slf4j.impl.log4j12_1.7.2.v20131105-2200.jar" and "org.apache.log4j_1.2.15.v201012070815".

    Are these files necessary?

    thx

    Link to comment
    Share on other sites

    Hi, indeed these plugins are part of target platform of the product itself and their presence it's related to other bundles. But as far as understood there should be no risk related to this. Because different version and packaging too.
    There is a thread on the Eclipse forum (and a linked mailing list thread in it) that mention it: Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228 [ECLIPSE FORUM]

    Whenever Orbit project will be refreshing such kind of bundles we will proceed in that direction as well. But as also Ed Merks explained (in there) it's not a matter of days, because it touches also other foundation projects.

    Regards,
    Massimo.

    Link to comment
    Share on other sites

    I do not see Jaspersoft Studio 6.16.0 mentioned in the list of log4j affected software, above.

    Is Jaspersoft Studio 6.16.0 affected by the log4j vulnerability? If it is affected, is there a means to resolve the vulnerability with 6.16.0 without updating to a newer version of Studio?

    Cheers, David

    Link to comment
    Share on other sites



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...