daust / JasperReportsIntegration

JasperReportsIntegration provides an interface to use the JasperReports reporting engine in an Oracle database application, specifically with Oracle Application Express (Oracle APEX).
BSD 3-Clause "New" or "Revised" License
55 stars 25 forks source link

Log4J version included with Jasper Reports Integration affected by CVE-2021-44228 (Log4Shell) #86

Closed bwetherall closed 2 years ago

bwetherall commented 2 years ago

Hi,

I am not a Java expert but have been looking into the Log4Shell issue in our environment (in the headlines over the past few days).

The jri.war file has a version of log4j that is apparently vulnerable to this exploit:

https://www.oracle.com/security-alerts/alert-cve-2021-44228.html

Let me know if I am wrong for thinking this could be exploited?

I am following a Microsoft guide on how to disable it:

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2

I will report back if this works without breaking Jasper Reports Integration - but it would be nice to either perform this fix on the repository version or upgrade log4j?

Thanks for the awesome tool btw! Have created some great PDF output that has impressed clients over recent years!

Regards, Ben

sweco-nlgerd commented 2 years ago

log4j 1.x is end of life since 2015 (https://logging.apache.org/log4j/1.2/) and should not be used anyway.

JasperReports itself is updating to 2.15.0 in a PR (https://github.com/TIBCOSoftware/jasperreports/pull/238) This intergration should be updated asap to make sure the issues is not there anymore.

According to apache log4j "Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes." https://logging.apache.org/log4j/2.x/security.html

agrigorjan commented 2 years ago

Hi,

this information in German may also help: PCWelt oder BSI

bwetherall commented 2 years ago

log4j 1.x is end of life since 2015 (https://logging.apache.org/log4j/1.2/) and should not be used anyway.

JasperReports itself is updating to 2.15.0 in a PR (TIBCOSoftware/jasperreports#238) This intergration should be updated asap to make sure the issues is not there anymore.

According to apache log4j "Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes." https://logging.apache.org/log4j/2.x/security.html

Thanks! The version of log4j in our install of JRI was 2.8.2 - so would be affected by the log4shell bug.. Its great that there is a Pull Request already to fix this 😄

daust commented 2 years ago

Thank you for raising this. For progress on this issue, see: https://github.com/daust/JasperReportsIntegration/issues/87