| Category: | General |
Priority: | Immediate |
Status: | Resolved |
| Project: | Severity: | Block |
Resolution: | Fixed |
|
| Component: | Reproducibility: | N/A |
Assigned to: |
Hi Team,
The Jasperreports library is reliant on "xalan.jar", which has a security vulnerability. Also, there is no latest version without vulnerability of "xalan.jar" available. Hence, we are planning to remove this jar from our environment, but it is causing functionality to break.
As per our understanding, the Xalan jar is dormant and, in the future, it will be retired. The solution is that the Java runtime includes the Xalan package in Open JDK, which needs to be used to replace the Apache Xalan jar.
Refer:
https://mvnrepository.com/artifact/xalan/xalan/2.7.2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169
Please let us know if we have any plans to remove the dependency of xalan.jar for the jasperreport library in future releases.
Thanks,
Tushar Patil
2 Comments:
Hi Team,
We are eagerly waiting for your reply.
Thanks,
Tushar Patil
Hi,
We were using Xalan for the XML data source and XPath query executer.
But in addition to the Xalan based implementations of these, we already had alternate implementation based on Jaxen.
You can remove Xalan from the classpath of your application and in case you do use XML data sources, you can switch to the Jexn implementation using the following configuration property:
https://jasperreports.sourceforge.net/config.reference.html#net.sf.jaspe...
In the upcoming release, the classes that use Xalan are going to be moved into a separate/optional JAR, while the Jaxen ones will become the defaults.
I hope this helps.
Teodor