Announcement

Migration of this forum

Dear users of this forum,

we are pleased to inform you that we will be updating the software behind this forum in the near future.

Existing posts, users and categories will remain untouched.

Important:

  • Each user will need to reset their password.
  • Please select "I forgot my password".
  • Enter the email address you used to register in this forum.
  • You will receive an email with a link to set a new password.
  • Please choose a new (secure) password and confirm the process.

We will keep you informed in the pinned thread.

Kind regards,
Your ReportServer Team

Migration des Forums

Liebe Nutzer dieses Forums,

wir freuen uns, euch mitteilen zu können, dass wir in naher Zukunft die Software hinter diesem Forum aktualisieren werden.

Existierende Beiträge, Nutzer und Kategorien bleiben weiterhin bestehen!

Wichtig:

  • Jeder Nutzer muss sein Passwort neu vergeben.
  • Wählt dazu einfach "Ich habe mein Passwort vergessen".
  • Gebt die E-Mail-Adresse ein, mit der ihr registriert seid.
  • Ihr erhaltet eine E-Mail mit einem Link zur Passwortvergabe.
  • Bitte wählt ein neues (sicheres) Passwort und bestätigt den Vorgang.

Wir halten euch im angepinnten Beitrag auf dem Laufenden!

Mit vielen Grüßen
Euer ReportServer Team

Pages: 1

#1 2021-12-13 10:19:33

IF_Eduardo
Administrator
Registered: 2016-11-01
Website

ReportServer and CVE-2021-44228 (Log4j) Information

Hi,

as many of you probably heard, log4j 2 (2.0 until 2.14.1) has this critical security issue: CVE-2021-44228.

ReportServer is not affected by this on its default configuration. Why?
- ReportServer does not use log4j 2, only log4j-over-slf4j-1.7.12 and slf4j-jdk14 1.7.12, which are not affected, refer to: http://slf4j.org/log4shell.html

- If you use Crystal Reports as described here: https://reportserver.net/en/guides/admi … l-Reports/ you are, affected, though, as Crystal (on its current version CR4ERL27_0-80004572) uses log4j-2.14.0 (both log4j-core.jar and log4j-api.jar). In this case, you can upgrade to at least log4j-2.17.0 by removing log4j-core.jar and log4j-api.jar and replacing them by a version >= 2.17.0.

- Tomcat is not affected on its default configuration: https://www.geekyhacker.com/2021/12/11/ … erability/

The following libraries/frameworks don’t appear to use Log4j by default, though they may optionally be configured to use it.
-Apache Tomcat

If your Tomcat is configured to use Log4j, you can run the mitigation steps described in the link or, better, upgrade to to log4j >= 2.17.0.

--------------------------------------------
Edit 30.08.2022:

As of ReportServer 4.3.0 we added the log4j-core-2.18.0.jar and log4j-api-2.18.0.jar jars because of a Mondrian dependency.
Details can be found here: https://reportserver.net/releasenotes/RS4.3.0.html

These libraries are not affected, as log4j is only affected until 2.14.1.

Regarding Crystal, you can use the log4j adapter (log4j-1.2-api) as described here: https://reportserver.net/en/guides/admi … l-Reports/

--------------------------------------------

Best regards,
Your ReportServer Team

Offline

Pages: 1

Board footer

Powered by FluxBB