#1 2021-12-13 10:19:33

Registered: 2016-11-01

ReportServer and CVE-2021-44228 (Log4j) Information


as many of you probably heard, log4j 2 (2.0 until 2.14.1) has this critical security issue: CVE-2021-44228.

ReportServer is not affected by this on its default configuration. Why?
- ReportServer does not use log4j 2, only log4j-over-slf4j-1.7.12 and slf4j-jdk14 1.7.12, which are not affected, refer to: http://slf4j.org/log4shell.html

- If you use Crystal Reports as described here: https://reportserver.net/en/guides/admi … l-Reports/ you are, affected, though, as Crystal (on its current version CR4ERL27_0-80004572) uses log4j-2.14.0 (both log4j-core.jar and log4j-api.jar). In this case, you can upgrade to at least log4j-2.17.0 by removing log4j-core.jar and log4j-api.jar and replacing them by a version >= 2.17.0.

- Tomcat is not affected on its default configuration: https://www.geekyhacker.com/2021/12/11/ … erability/

The following libraries/frameworks don’t appear to use Log4j by default, though they may optionally be configured to use it.
-Apache Tomcat

If your Tomcat is configured to use Log4j, you can run the mitigation steps described in the link or, better, upgrade to to log4j >= 2.17.0.

Edit 30.08.2022:

As of ReportServer 4.3.0 we added the log4j-core-2.18.0.jar and log4j-api-2.18.0.jar jars because of a Mondrian dependency.
Details can be found here: https://reportserver.net/releasenotes/RS4.3.0.html

These libraries are not affected, as log4j is only affected until 2.14.1.

Regarding Crystal, you can use the log4j adapter (log4j-1.2-api) as described here: https://reportserver.net/en/guides/admi … l-Reports/


Best regards,
Your ReportServer Team


Board footer

Powered by FluxBB