[#14366] - Vulnerability in xalan.jar

Category:
General
Priority:
Immediate
Status:
New
Project: Severity:
Block
Resolution:
Open
Component: Reproducibility:
N/A
Assigned to:

Hi Team,

The Jasperreports library is reliant on "xalan.jar", which has a security vulnerability. Also, there is no latest version without vulnerability of "xalan.jar" available. Hence, we are planning to remove this jar from our environment, but it is causing functionality to break.

As per our understanding, the Xalan jar is dormant and, in the future, it will be retired. The solution is that the Java runtime includes the Xalan package in Open JDK, which needs to be used to replace the Apache Xalan jar.

Refer:
https://mvnrepository.com/artifact/xalan/xalan/2.7.2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169

Please let us know if we have any plans to remove the dependency of xalan.jar for the jasperreport library in future releases.

Thanks,
Tushar Patil

tuspatil's picture
Joined: Jan 3 2022 - 10:54pm
Last seen: 1 week 2 days ago

1 Comment:

#1

Hi Team,

We are eagerly waiting for your reply.

Thanks,
Tushar Patil

Feedback
randomness