ReportServer and CVE-2021-44228 (Log4j) Information

Hi,

as many of you probably heard, log4j 2 (2.0 until 2.14.1) has this critical security issue: CVE-2021-44228

ReportServer is not affected by this on its default configuration. Why?
– ReportServer does not use log4j 2, only log4j-over-slf4j-1.7.12 and slf4j-jdk14 1.7.12, which are not affected, refer to: http://slf4j.org/log4shell.html

– If you use Crystal Reports as described here: https://reportserver.net/en/guides/admin/chapters/SAP-Crystal-Reports/ you are, affected, though, as Crystal (on its current version CR4ERL27_0-80004572) uses log4j-2.14.0 (both log4j-core.jar and log4j-api.jar). In this case, you can upgrade to at least log4j-2.17.0 by removing log4j-core.jar and log4j-api.jar and replacing them by a version >= 2.17.0.

– Tomcat is not affected on its default configuration: https://www.geekyhacker.com/2021/12/11/three-ways-to-patch-log4shell-cve-2021-44228-vulnerability/

The following libraries/frameworks don’t appear to use Log4j by default, though they may optionally be configured to use it.
-Apache Tomcat

If your Tomcat is configured to use Log4j, you can run the mitigation steps described in the link or, better, upgrade to to log4j >= 2.17.0.

Best regards,
Your ReportServer Team

ReportServer 3.7.1 is now available

We are pleased to announce that the 3.7.1 version of ReportServer is now available for download.

For a list of all changes please refer to the Release Notes. The upgrade guide is available in the documentation area.

The javadocs can be found here: https://reportserver.net/api/current/javadoc/index.html
List of entities: https://reportserver.net/api/current/entities.html
List of hooks: https://reportserver.net/api/current/hooks.html
List of services: https://reportserver.net/api/current/services.html

Happy reporting!

Your ReportServer Team

ReportServer 3.7.0 is now available

We are pleased to announce that the 3.7.0 version of ReportServer is now available for download.

Among others, it now supports email, OneDrive – SharePoint (O365) and Dropbox datasinks. Pls note that only email (together with FTP/SFTP/FTPS) datasources are available in the Community Version. All others are available in the Enterprise Version.

Further, note that the old mail.cf configuration file is now deprecated. Pls use standard email datasinks instead.

For a list of all changes please refer to the Release Notes. The upgrade guide is available in the documentation area.

The javadocs can be found here: https://reportserver.net/api/current/javadoc/index.html
List of entities: https://reportserver.net/api/current/entities.html
List of hooks: https://reportserver.net/api/current/hooks.html
List of services: https://reportserver.net/api/current/services.html

Happy reporting!

Your ReportServer Team