A critical vulnerability within the Apache Log4j 2 Security Vulnerability CVE-2021-44228 and CVE-2021-45046 Impacts Jaspersoft Studio 7.9

All supported Clarity version along with Jaspersoft Studio 7.9

Jaspersoft Studio Professional is used to connect to Advanced Reporting to create, download, upload, and publish reports. You need a report developer user and a server connection to connect to Advanced Reporting. You can also create data adapters in Jaspersoft Studio to test report queries. 

During the vulnerability scans below files are shown impacted as described CVE-2021-44228 and CVE-2021-45046

• impala-jdbc42-2.6.18.1021.jar
• spark-jdbc42-2.6.16.1020.jar
• log4j-core-2.8.2.jar

The files can be found under Jaspersoft Studio Installed directory (examples below) as Clarity Integration with Jaspersoft doesn't use them 

• c:\program files\tibco\jaspersoft studio professional-7.9.0\configuration\org.eclipse.osgi\40\0\.cp\lib\simba
• c:\program files\tibco\jaspersoft studio professional-7.9.0\jrio\jrio\web-inf\lib\

• Close the Jaspersoft Studio 
• Navigate to below path and delete impala-jdbc42-2.6.18.1021.jar and spark-jdbc42-2.6.16.1020.jar 
  • c:\program files\tibco\jaspersoft studio professional-7.9.0\configuration\org.eclipse.osgi\40\0\.cp\lib\simba
  • c:\program files\tibco\jaspersoft studio professional-7.9.0\jrio\jrio\web-inf\lib\
• Navigate to below path and replace log4j-core-2.8.2.jar with attached log4j-core-2.22.1.jar

Note: No file changes are needed at Jaspersoft Server 8.x or 9.x as those are not impacted