A critical vulnerability within the Apache Log4j 2 Security Vulnerability CVE-2021-45046 and its impacts with Clarity, Jaspersoft, and ODATA (Clarity SaaS)

Not Impacted

• Clarity SaaS and Clarity On-Premise Customers are not affected by this vulnerability as Clarity is not impacted since all versions of Clarity are on Log4j 1.2.15 or older. CVE-2021-45046 reported vulnerability on Log 4j 2.0 to 2.16. Hence no remediation steps are needed for Clarity SaaS and Clarity On-Premise customers. Also Clarity  Log4j library has been upgraded starting Clarity 16.1.3, please refer to TPSR in Broadcom Documentation for respective version
• Clarity SaaS ODATA service is also not impacted as it is using Apache Log4j 1.2.XX. 
• Jaspersoft 7.1/7.1.3 is not impacted as these versions of Jaspersoft are on Log4j 1.2.XX. 

Impacted 

• Jaspersoft 7.8 is impacted

• Clarity SaaS and Clarity On Premise with Jaspersoft 7.8 Only

GCP SaaS Customers

• Mitigations for Jaspersoft on SaaS have been done during our January 2022 Monthly Maintenance and more information can be found on the Clarity SaaS Status Page
  • Both Production and Non Production will be addressed 

 On Premise Customers

• Now you can upgrade Jaspersoft to use log4j-2.17.2
• To mitigate the Jaspersoft, follow the below steps
• Stop the Jaspersoft Services 
  1. Delete the content from $JASPERSOFT_TOMCAT_HOME/work
  2. Backup the folder ($JASPERSOFT_TOMCAT_HOME/webapps/reportservice/WEB-INF/lib) and keep it outside $JASPERSOFT_TOMCAT_HOME
  3. Delete the following files from the folder  $JASPERSOFT_TOMCAT_HOME/webapps/reportservice/WEB-INF/lib These will show up as 2.15 or 2.16 or version earlier than 2.17.2
     
     •  log4j-1.2-api-2.15.0
     •  log4j-api-2.15.0
     •  log4j-core-2.15.0
     •  log4j-jcl-2.15.0
     •  log4j-jul-2.15.0
     •  log4j-slf4j-impl-2.15.0
     •  log4j-web-2.15.0
  4. Replace them with the files provided in this document (under the Attachments section)
  5. Start the Jaspersoft Services 
• If you keep your Jaspersoft installation media, there is a file jasperserver-pro.war that can trigger vulnerability reports
  • This is an installation file that contains all the Jaspersoft files
  Once you've installed Jaspersoft you can remove it as it's not in use

Note: Log4j library has been upgraded in Clarity 16.1.3, please refer to TPSR in Broadcom Documentation

This fix will also address CVE-2021-44832 in log4j-2.17.2. We recommend to keep an eye on any possible updates to this article and to keep up to date

Useful links:

• Broadcom Advisory for other Products
• Note: There is a change in mitigation steps provided earlier based on the recent guidance from security teams and the fix has been tested by the Clarity engineering team
• Open Workbench and log4j vulnerability
• Is Clarity vulnerable to CVE-2021-4104 and CVE-2021-45105