Security warning: New zero-day in the Log4j Java library

[nlwilson02]

(CVE-2021-44228) Vulnerability was announced on 12/10/2021. Is there a way to turn off log4j logging or use another method to mitigate the security vulnerability in the version of log4j being used. /jri/lib folder it is showing log4j-1.2.15.jar as the current version of log4j.

Thanks, Nancy

[sweco-nlgerd]

According to mutile sources version 1.x is less effected

https://stackoverflow.com/questions/70312033/how-to-mitigate-log4shell-vulnerability-in-version-1-2-of-log4j https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=6 (In german)

This intergration relays on https://github.com/TIBCOSoftware/jasperreports wich is in the process of updating to log4j 2.15 So I think @daust will update it when available

[daust]

Based on the comments from Teodor Danciu: https://github.com/TIBCOSoftware/jasperreports/issues/239 and https://github.com/TIBCOSoftware/jasperreports/pull/238

log4j is only used for running tests .. but NOT an integral part of the JasperReports library.

Thus, you could simply REMOVE the following libraries from the war-file or from the exploded directory jri/WEB-INF/lib:

log4j-api-2.8.2.jar
log4j-core-2.8.2.jar
log4j-jcl-2.8.2.jar

My tests (without those log4j-libraries) have been successful so far.

Please let me know if you find issues.

This also leads me to believe that JRI is NOT affected by this problem, because the logging libraries are not used.

I will also update my own logging (using the outdated log4j 1.x) to the latest version ... in a later release.

And I will provide a new release / build without the vulnerable log4j libraries.

[daust]

New release published v2.7.1 without the log4j2x libraries.

I will upgrade the log4j1.x libraries in v2.8.0.

[nlwilson02]

Thank you so very much!!!! Your expertise is very appreciated!

Nancy Wilson Office of Information Systems Programming and System Development Tidewater Community College —————————————————— Green District Administration Building 121 College Place, 523 Norfolk, VA 23510 (o): 757-822-1128 (e): @.**@.> [Tidewater Community College]

From: Dietmar Aust @.> Sent: Tuesday, December 14, 2021 10:24 AM To: daust/JasperReportsIntegration @.> Cc: Nancy Wilson @.>; Author @.> Subject: [External Sender] Re: [daust/JasperReportsIntegration] Security warning: New zero-day in the Log4j Java library (Issue #87)

New release published v2.7.1 without the log4j2x libraries.

I will upgrade the log4j1.x libraries in v2.8.0.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/daust/JasperReportsIntegration/issues/87#issuecomment-993653918, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKTBDBUGCKEDWHCV4XEFCJ3UQ5ORBANCNFSM5J554HZA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

[daust]

Hi @nlwilson02, you are welcome :).

Thank you for the appreciation ~Dietmar.