Log4j Security Vulnerability and Jasperserver

Posted on by By admin, in Jaspersoft | 0

Recently a Security Vulnerability in Apache Log4j logging framework was uncovered. This vulnerability known as Log4Shell has been classified as severity level “critical” by Apache. The affected log4j versions are “all versions from 2.0-beta9 to 2.14.1”. From log4j 2.15.0, this has been fixed by default.

Jasperserver application also uses Log4j library and hence it becomes critical to verify if our jasperserver installations are using the affected versions of the library. The latest versions of jasperserver are using 2.13 version of the log4j library, which is affected.

Make data easy with Helical Insight.
Helical Insight is the world’s best open source business intelligence tool.

How to check ?

Goto

< jasperserver installation dir>/apache-tomcat/webapps/jasperserver[-pro]/WEB-INF/lib

Look for log4j-core-X.XX.X.jar file , the version number of the library is present in the name of the jar file itself.

Example –

user@ip-xxx-xx-xx-xx:/opt/jasperreports-server-cp-7.8.0/apache-tomcat/webapps/jasperserver/WEB-INF/lib# ls -ltr | grep log4j
-rw-rw-r-- 1 ubuntu root    11366 Aug  7  2020 LICENSE.log4j.txt
-rw-rw-r-- 1 ubuntu root  1714164 Aug  7  2020 log4j-core-2.13.3.jar
-rw-rw-r-- 1 ubuntu root   292301 Aug  7  2020 log4j-api-2.13.3.jar
-rw-rw-r-- 1 ubuntu root   201685 Aug  7  2020 log4j-1.2-api-2.13.3.jar
-rw-rw-r-- 1 ubuntu root    23590 Aug  7  2020 log4j-slf4j-impl-2.13.3.jar
-rw-rw-r-- 1 ubuntu root    12656 Aug  7  2020 log4j-jcl-2.13.3.jar
-rw-rw-r-- 1 ubuntu root    26161 Aug  7  2020 log4j-jul-2.13.3.jar
-rw-rw-r-- 1 ubuntu root    32722 Aug  7  2020 log4j-web-2.13.3.jar
-rw-rw-r-- 1 ubuntu root     6819 Aug  7  2020 jmx-logger-log4j-0.3.1.jar

You can see that the above installation , version 2.13 of Log4j library is used.

How to patch ?

Apache has released the mitigation / fixes which we can apply based on the version of the Log4j library.

Refer – https://logging.apache.org/log4j/2.x/security.html

For Log4j v2.13, there are 2 fixes –

  1. Setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
  2. Modify all PatternLayout patterns to specify the message converter as %m{nolookups} instead of just %m.

Follow these steps –

Step 1 – To set the system property, you can edit the setenv.sh / bat file in tomcat/bin folder.

user@ip-xxx-xx-xx-xx:/opt/jasperreports-server-cp-7.8.0/apache-tomcat/bin# vi setenv.sh

Add these lines –

JAVA_OPTS="-Djs.license.directory=/opt/jasperreports-server-cp-7.8.0 -Dlog4j2.formatMsgNoLookups=true $JAVA_OPTS "
export JAVA_OPTS

Step 2 – To modify all PatternLayout patterns , edit the log4j2.properties files inside jasperserver/WEB-INF directory.

user@ip-xxx-xx-xx-xx:/opt/jasperreports-server-cp-7.8.0/apache-tomcat/webapps/jasperserver/WEB-INF$ vi log4j2.properties

Modify these lines , change %m to %m{nolookups}

appender.stdout.layout.pattern=%d{ISO8601} %5p %c{1},%t:%L - %m{nolookups}%ex%n

appender.fileout.layout.pattern=%d{ISO8601} %5p %c{1},%t:%L - %m{nolookups}%ex%n

appender.jasperanalysis.layout.pattern=%d{ISO8601} %5p %c{1},%t:%L - %m{nolookups}%ex%n

Step 3 – Restart Jasperserver

Make data easy with Helical Insight.
Helical Insight is the world’s best open source business intelligence tool.

user@ip-xxx-xx-xx-xx:~$ ps -ef | grep tomcat
root     1223077       1  0 Dec13 ?        00:05:46 /opt/jasperreports-server-cp-7.8.0/java/bin/java -Djava.util.logging.config.file=/opt/jasperreports-server-cp-7.8.0/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms1024m -Xmx2048m -Xss2m -Djs.license.directory=/opt/jasperreports-server-cp-7.8.0 -Dlog4j2.formatMsgNoLookups=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /opt/jasperreports-server-cp-7.8.0/apache-tomcat/bin/bootstrap.jar:/opt/jasperreports-server-cp-7.8.0/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/jasperreports-server-cp-7.8.0/apache-tomcat -Dcatalina.home=/opt/jasperreports-server-cp-7.8.0/apache-tomcat -Djava.io.tmpdir=/opt/jasperreports-server-cp-7.8.0/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start

If your jasper installation is using other versions of vulnerable log4j library , please refer https://logging.apache.org/log4j/2.x/security.html for mitigation steps.

Thank You,
Shraddha Tambe
Helical IT Solutions Pvt Ltd

logo

Best Open Source Business Intelligence Software Helical Insight is Here

logo

A Business Intelligence Framework

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments