[#9521] - Security Issues in jasperreports dependencies

Category:
Bug report
Priority:
High
Status:
Feedback Requested
Project: Severity:
Major
Resolution:
Open
Component: Reproducibility:
Always
Assigned to:
0

jasperreports v6.4.0 seems to be vulnerable to some security threats brought in by dependencies.

For example:

org.apache.httpcomponents:httpclient 4.3.4
CVE-2014-3577 affects versions before 4.3.5
Current version is 4.5.3

org.apache.poi:poi-ooxml 3.10.1
CVE-2017-5644 affects versions before 3.15

org.codehaus.castor:castor-xml 1.3.3
Uses vulnerable commons-collections 3.2.1 (although jasperreports itself has 3.2.2 dependency (which is secure)
Fix version is 1.4.1, which uses org.apache.commons:commons-collections4 4.1

bsh:bsh 2.0b4
CVE-2016-2510 (CVVS 3 score 8.1)
Update to org.apache-extras.beanshell:bsh v2.0b6 or later.

Whilst there may be individual threats that may not apply in the context of jasperreports, the problem is that the threats are flagged up by scanning tools.

mark.symons's picture
Joined: May 4 2017 - 10:18am
Last seen: 2 weeks 2 days ago

1 Comment:

#1
  • Status:New» Feedback Requested
  • Assigned:» teodord

Hi,

JR has already been upgraded to use POI 3.15, Common Collections 3.2.2 and BSH 2.0b6 in the master branch of our Git repository and will be available in the next release.
Not sure what scan tools you are using and how they detect these vulnerabilities.

But JR Lib is just a JAR and all the other JARs that are needed have to be brought in by the parent application build system, so any vulnerability would be the responsibility of the builder.
If the build system is based on Maven, you can see that Commons Collections 3.2.1 does not come transiently through Castor, so still, the 3.2.2 referenced by JR Lib directly gets picked.
You can perform a >mvn dependency:tree in the JR Lib project and see which dependencies are brought in.
If Maven is not used for building the application that uses JR Lib, then the JARs are probably hand-picked, in which case the picker is responsible for their picks.

Thanks,
Teodor

PS. We also upgraded to HttpClient 4.3.6 in master branch.

Feedback
randomness