Salesforce

How to address the Critical Apache Log4j Vulnerability in WorldServer 11.x

« Go Back

Information

 
Article TypeSolution Article
Scope/EnvironmentWorldServer
Symptoms/Context
On December 9, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE).

Because of the widespread use of Java and log4j this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.

It is CVE-2021-44228 and affects version 2 of log4j between versions 2.0-beta-9 and 2.14.1.
It is not present in version 1 of log4j and is patched in version 2.15.0.

This issue impacts all WorldServer 11 versions. This issue does not impact WorldServer 10 deployments. On the Jasper Report side, only versions 7.5 and 7.9 are affected. These versions are present in WorldServer version 11.6.1 to 11.7.1. There is no need to fix any vulnerability on the Jasper Report side for WorldServer versions below 11.6.x.

This article provides step-by-step resolutions for each WorldServer version.
 
Resolution

Customers on versions 11.6.x to 11.7.1:

Please refer to this article for step-by-step instructions:
Critical Apache Log4j Vulnerability in WorldServer 11.6.x to 11.7.1
 

Customers on Version 11.3 to 11.5 (included):

Please refer to this article for step-by-step instructions:
Critical Apache Log4j Vulnerability in WorldServer- resolution for versions 11.3.x to 11.5.x (included)
 

Customers on Version 11.1.0, 11.1.1 and 11.2.x

Please refer to this article for step-by-step instructions:
Critical Apache Log4j Vulnerability in WorldServer- resolution for versions 11.1.0, 11.1.1. and 11.2.x


Customers on Version 11.0.0. and 11.0.1

Please refer to this article for step-by-step instructions:
Critical Apache Log4j Vulnerability in WorldServer- resolution for versions 11.0.0. and 11.0.1


Note: this issue will be permanently solved in the upcoming WorldServer 11.7.2. version where Log4j release v. 2.16.0 (or later) will be implemented.
 
Root Cause
Log4j2 is used in WorldServer. There is a critical remote code execution vulnerability for Apache Log4j2 v2.0 through v2.14.
This issue impacts all WorldServer 11 versions and the Jasper Report Center version 7.x that are associated with versions 11.6.x to 11.7.1.
 
Reference
Attachment 1 
Attachment 2 
Attachment 3 
Attachment 4 
Attachment 5 

Powered by