How to address the Critical Apache Log4j Vulnerability in WorldServer 11.x
000017707|4/1/2022 12:22 AM
On December 9, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE).
Because of the widespread use of Java and log4j this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.
It is CVE-2021-44228 and affects version 2 of log4j between versions 2.0-beta-9 and 2.14.1. It is not present in version 1 of log4j and is patched in version 2.15.0.
This issue impacts all WorldServer 11 versions. This issue does not impact WorldServer 10 deployments. On the Jasper Report side, only versions 7.5 and 7.9 are affected. These versions are present in WorldServer version 11.6.1 to 11.7.1. There is no need to fix any vulnerability on the Jasper Report side for WorldServer versions below 11.6.x.
This article provides step-by-step resolutions for each WorldServer version.
Note: this issue will be permanently solved in the upcoming WorldServer 11.7.2. version where Log4j release v. 2.16.0 (or later) will be implemented.
Log4j2 is used in WorldServer. There is a critical remote code execution vulnerability for Apache Log4j2 v2.0 through v2.14. This issue impacts all WorldServer 11 versions and the Jasper Report Center version 7.x that are associated with versions 11.6.x to 11.7.1.