CVE-2021-44228 - log4j vulnerability and Clarity
search cancel

CVE-2021-44228 - log4j vulnerability and Clarity


Article ID: 230248


Updated On:


Clarity PPM On Premise Clarity PPM SaaS


A critical vulnerability within the Apache Log4j 2 Security Vulnerability CVE-2021-45046 and its impacts with Clarity, Jaspersoft, and ODATA (Clarity SaaS)

Not Impacted

  • Clarity SaaS and Clarity On-Premise Customers are not affected by this vulnerability as Clarity is not impacted since all versions of Clarity are on Log4j 1.2.15 or older. CVE-2021-45046 reported vulnerability on Log 4j 2.0 to 2.16. Hence no remediation steps are needed for Clarity SaaS and Clarity On-Premise customers.
  • Clarity SaaS ODATA service is also not impacted as it is using Apache Log4j 1.2.XX. 
  • Jaspersoft 7.1/7.1.3 is not impacted as these versions of Jaspersoft are on Log4j 1.2.XX. 


  • Jaspersoft 7.8 is impacted


  • Clarity SaaS and Clarity On Premise with Jaspersoft 7.8 Only


GCP SaaS Customers

  • Mitigations for Jaspersoft on SaaS have been done during our January 2022 Monthly Maintenance and more information can be found on the Clarity SaaS Status Page
    • Both Production and Non Production will be addressed 

 On Premise Customers

  • Now you can upgrade Jaspersoft to use log4j-2.17.2
  • To mitigate the Jaspersoft, follow the below steps
  • Stop the Jaspersoft Services 
    1. Delete the content from $JASPERSOFT_TOMCAT_HOME/work
    2. Backup the folder ($JASPERSOFT_TOMCAT_HOME/webapps/reportservice/WEB-INF/lib) and keep it outside $JASPERSOFT_TOMCAT_HOME
    3. Delete the following files from the folder  $JASPERSOFT_TOMCAT_HOME/webapps/reportservice/WEB-INF/lib These will show up as 2.15 or 2.16 or version earlier than 2.17.2
      •  log4j-1.2-api-2.15.0
      •  log4j-api-2.15.0
      •  log4j-core-2.15.0
      •  log4j-jcl-2.15.0
      •  log4j-jul-2.15.0
      •  log4j-slf4j-impl-2.15.0
      •  log4j-web-2.15.0
    4. Replace them with the files provided in this document (under the Attachments section)
    5. Start the Jaspersoft Services 
  • If you keep your Jaspersoft installation media, there is a file jasperserver-pro.war that can trigger vulnerability reports
    • This is an installation file that contains all the Jaspersoft files
    • Once you've installed Jaspersoft you can remove it as it's not in use



Note: Log4j library has been upgraded in Clarity 16.1.3, please refer to TPSR in Broadcom Documentation

Additional Information

This fix will also address CVE-2021-44832 in log4j-2.17.2. We recommend to keep an eye on any possible updates to this article and to keep up to date


Useful links:

Attachments get_app