Closed bwetherall closed 2 years ago
log4j 1.x is end of life since 2015 (https://logging.apache.org/log4j/1.2/) and should not be used anyway.
JasperReports itself is updating to 2.15.0 in a PR (https://github.com/TIBCOSoftware/jasperreports/pull/238) This intergration should be updated asap to make sure the issues is not there anymore.
According to apache log4j "Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes." https://logging.apache.org/log4j/2.x/security.html
log4j 1.x is end of life since 2015 (https://logging.apache.org/log4j/1.2/) and should not be used anyway.
JasperReports itself is updating to 2.15.0 in a PR (TIBCOSoftware/jasperreports#238) This intergration should be updated asap to make sure the issues is not there anymore.
According to apache log4j "Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes." https://logging.apache.org/log4j/2.x/security.html
Thanks! The version of log4j in our install of JRI was 2.8.2 - so would be affected by the log4shell bug.. Its great that there is a Pull Request already to fix this 😄
Thank you for raising this. For progress on this issue, see: https://github.com/daust/JasperReportsIntegration/issues/87
Hi,
I am not a Java expert but have been looking into the Log4Shell issue in our environment (in the headlines over the past few days).
The jri.war file has a version of log4j that is apparently vulnerable to this exploit:
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
Let me know if I am wrong for thinking this could be exploited?
I am following a Microsoft guide on how to disable it:
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2
I will report back if this works without breaking Jasper Reports Integration - but it would be nice to either perform this fix on the repository version or upgrade log4j?
Thanks for the awesome tool btw! Have created some great PDF output that has impressed clients over recent years!
Regards, Ben