Jasper Ideas

the jrs-rest-java-client library uses log4j 1.2.17, EOL since 2015. Maybe upgrade to 2.17.1

jrs-rest-java-client has log4j 1.2.17 in its pom.xml.

https://github.com/Jaspersoft/jrs-rest-java-client/blob/master/pom.xml

That version when End-of-Life in 2015, and it has CVE's that Apache isn't going to fix.

With all the press about the Log4Shell vulnerability at the end of 2021, our security people are trying to get rid of all the old log4j jars on our systems.

We would be very happy if jrs-rest-java-client upgraded to the latest 2.17.1

I know log4j 1.2.17 isn't vulnerable to that particular CVE, but there are others...and it is more than 6 years since Apache abandoned it.

https://logging.apache.org/log4j/1.2/

https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces


  • Bob Robillard
  • Feb 4 2022
  • To be Reviewed
Components JasperReports Server, RestAPI
  • Attach files