Jump to content
Changes to the Jaspersoft community edition download ×

SECURITY VULNERABILITIES IN JASPER CE 6.1.0


akshaya_hebbar

Recommended Posts

SECURITY VULNERABILITIES IN JASPER CE 6.1.0

During the testing of jasperreports-server-cp, version 6.1.0  we found that it uses the below libraries:

standard-1.1.2.jar (Security vulnerability CVE-2015-0254)

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag. <a href="http://cwe.mitre.org/data/definitions/611.html" target="_blank">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

Details here : 
       https://nvd.nist.gov/vuln/detail/CVE-2015-0254
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254
       https://www.cvedetails.com/cve/CVE-2015-0254/

Recommended upgrade is to use taglibs-standard-impl-1.2.3.jar or later.

 

c3p0-0.9.1.1.jar (Security vulnerability CVE-2019-5427)
 
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
     
Details here : 
      https://nvd.nist.gov/vuln/detail/CVE-2019-5427
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427
      https://www.cvedetails.com/cve/CVE-2019-5427/

Recommended upgrade is to use c3p0-0.9.5.4.jar or later.

 

We noticed that the latest version of the jasperreports-server-cp, version 7.2.0 also uses vulnerable jars standard-1.1.2.jar and c3p0-0.9.1.1.jar.

Hence currently there is NO jasper release that we can upgrade to (that addresses these issues).

Few queries to the jasper community:

1) Are there any plans to upgrade the above vulnerable jars in the coming releases of the jasper reports server CE ?
 
2) Could you recommend any workaround to circumvent the security problems until the upgrade of jars happen ?

Link to comment
Share on other sites

  • Replies 1
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...