search cancel

CVE-2021-44228 - log4j vulnerability and Clarity

book

Article ID: 230248

calendar_today

Updated On:

Products

Clarity PPM On Premise Clarity PPM SaaS

Issue/Introduction

A critical vulnerability within the Apache Log4j 2 Security Vulnerability CVE-2021-45046 and its impacts with Clarity, Jaspersoft, and ODATA (Clarity SaaS)

Not Impacted

  • Clarity SaaS and Clarity On-Premise Customers are not affected by this vulnerability as Clarity is not impacted since all versions of Clarity are on Log4j 1.2.15 or older. CVE-2021-45046 reported vulnerability on Log 4j 2.0 to 2.16. Hence no remediation steps are needed for Clarity SaaS and Clarity On-Premise customers.
  • Clarity SaaS ODATA service is also not impacted as it is using Apache Log4j 1.2.XX. 
  • Jaspersoft 7.1/7.1.3 is not impacted as these versions of Jaspersoft are on Log4j 1.2.XX. 

Impacted 

  • Jaspersoft 7.8 is impacted

Environment

  • Clarity SaaS and Clarity On Premise with Jaspersoft 7.8 Only

Resolution

GCP SaaS Customers

  • Mitigations for Jaspersoft on SaaS have been done during our January 2022 Monthly Maintenance and more information can be found on the Clarity SaaS Status Page
    • Both Production and Non Production will be addressed 

 On Premise Customers

  • Now you can upgrade Jaspersoft to use log4j-2.17.2
  • To mitigate the Jaspersoft, follow the below steps
  • Stop the Jaspersoft Services 
    1. Delete the content from $JASPERSOFT_TOMCAT_HOME/work
    2. Backup the folder ($JASPERSOFT_TOMCAT_HOME/webapps/reportservice/WEB-INF/lib) and keep it outside $JASPERSOFT_TOMCAT_HOME
    3. Delete the following files from the folder  $JASPERSOFT_TOMCAT_HOME/webapps/reportservice/WEB-INF/lib These will show up as 2.15 or 2.16 or version earlier than 2.17.2
      •  log4j-1.2-api-2.15.0
      •  log4j-api-2.15.0
      •  log4j-core-2.15.0
      •  log4j-jcl-2.15.0
      •  log4j-jul-2.15.0
      •  log4j-slf4j-impl-2.15.0
      •  log4j-web-2.15.0
    4. Replace them with the files provided in this document (under the Attachments section)
    5. Start the Jaspersoft Services 
  • If you keep your Jaspersoft installation media, there is a file jasperserver-pro.war that can trigger vulnerability reports
    • This is an installation file that contains all the Jaspersoft files
    • Once you've installed Jaspersoft you can remove it as it's not in use

Additional Information

This fix will also address CVE-2021-44832 in log4j-2.17.2. We recommend to keep an eye on any possible updates to this article and to keep up to date

 

Useful links:

Attachments

1654029858116__log4j-2.17.2-jars.zip get_app