The security of software and personal and commercial information safety is the most critical issue in the modern world.
What is Log4j?
Log4j is a popular Java-based logging utility used to write logs. The library is part of the Apache Registration Project.What happened?
On December 9, 2021, it became known about the critical vulnerability of Log4j – CVE-2021-44228. It may execute arbitrary code, which can lead to data leaks. The vulnerability affected a massive number of projects - from iCloud to Steam.
How does this concern you as a Stimulsoft client?
The problem related to the Log4j vulnerability can affect users of only one product - Stimulsoft Reports.Java. However, our product does not directly use the Log4j library.To work with SVG images, we use the Apache ™ Batik SVG Toolkit library, which uses commons-logging, which, in turn, can interact with Log4j (if your system is configured for this).
What do you have to do?
The vulnerability has already been fixed in Log4j 2.12.2 and Log4j 2.17.0. If you are running Java 8 (or later), please update Log4j to version 2.17.0. Users requiring Java 7 should upgrade Log4j to release 2.12.2.Otherwise, remove the JndiLookup class from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Please note that this vulnerability impacts only the log4j-core JAR file. This vulnerability does not impact applications using only the log4j-api JAR file without the log4j-core JAR file.