ReportServer and CVE-2021-44228 (Log4j) Information
as many of you probably heard, log4j 2 (2.0 until 2.14.1) has this critical security issue: CVE-2021-44228
ReportServer is not affected by this on its default configuration. Why?
– ReportServer does not use log4j 2, only log4j-over-slf4j-1.7.12 and slf4j-jdk14 1.7.12, which are not affected, refer to: http://slf4j.org/log4shell.html
– If you use Crystal Reports as described here: https://reportserver.net/en/guides/admin/chapters/SAP-Crystal-Reports/ you are, affected, though, as Crystal (on its current version CR4ERL27_0-80004572) uses log4j-2.14.0 (both log4j-core.jar and log4j-api.jar). In this case, you can upgrade to at least log4j-2.17.0 by removing log4j-core.jar and log4j-api.jar and replacing them by a version >= 2.17.0.
– Tomcat is not affected on its default configuration: https://www.geekyhacker.com/2021/12/11/three-ways-to-patch-log4shell-cve-2021-44228-vulnerability/
The following libraries/frameworks don’t appear to use Log4j by default, though they may optionally be configured to use it.
If your Tomcat is configured to use Log4j, you can run the mitigation steps described in the link or, better, upgrade to to log4j >= 2.17.0.
Your ReportServer Team