TIBCO is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system.

TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.

The recommended solution is to apply the latest hotfix for your corresponding JasperReports Server version:

7.5.2 (also compatible with JRS 7.5.1): https://support.tibco.com/s/hotfixes?id=a014z00000yU9cVAAS
7.8.1 (also compatible with JRS 7.8.0): https://support.tibco.com/s/hotfixes?id=a014z00000yU9caAAC
7.9.1 (also compatible with JRS 7.9.0): https://support.tibco.com/s/hotfixes?id=a014z00000yU9cfAAC
8.0.0: https://support.tibco.com/s/hotfixes?id=a014z00000yUB2NAAW

For Jaspersoft Studio, the hotfixes are available for the following versions:
JSS Pro 7.3.1: https://support.tibco.com/s/hotfixes?id=a014z00000yUBUZAA4
JSS Pro 7.5.0: https://support.tibco.com/s/hotfixes?id=a014z00000yUBUeAAO
JSS Pro 7.8.0: https://support.tibco.com/s/hotfixes?id=a014z00000yU0utAAC
JSS Pro 7.9.0: https://support.tibco.com/s/hotfixes?id=a014z00000yTuU3AAK
JSS Pro 8.0.0: https://support.tibco.com/s/hotfixes?id=a014z00000yUBUjAAO

For JasperReports IO, the hotfixes are available for the following versions:
JRIO Pro 1.3.0: https://support.tibco.com/s/hotfixes?id=a014z00000yUBW1AAO
JRIO Pro 2.0.0: https://support.tibco.com/s/hotfixes?id=a014z00000yUBW6AAO
JRIO AtScale 2.0.0: https://support.tibco.com/s/hotfixes?id=a014z00000yUBWBAA4
JRIO AtScale 3.0.0: https://support.tibco.com/s/hotfixes?id=a014z00000yUBWGAA4

The primary purpose of this latest iteration of the hotfixes is to update the log4j JARs to version 2.17.0.

Alternatively, see the attached file "Jaspersoft_Mitigation_CVE-2021-44228.pdf" for the manual mitigation steps for the issue. These instructions are based on the mitigation documented by Apache for different vulnerable versions of Log4j2.

We will provide updates as more information becomes available and we complete our investigation. Please contact TIBCO Support with any questions.

Apache Log4J Vulnerability Update

• https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update

KB 000045606 Apache Log4J Vulnerability and Impact to TIBCO Products and Services

• https://support.tibco.com/s/article/Apache-Log4J-Vulnerability-and-Impact-to-TIBCO-Products-and-Services