Jump to content
We've recently updated our Privacy Statement, available here ×

  • Apache Commons Text Library Vulnerability for Jaspersoft Products

    jpadre

    By jpadre

      • Features: JasperReports Server Version: v8 Product: JasperReports® Server
     Share

    Important Note

    UNDERGOING REANALYSIS

    This vulnerability has been modified and is currently undergoing reanalysis. Please check back soon to view the updated vulnerability summary. Jaspersoft will keep this page updated as more information becomes available.

    Overview

    Jaspersoft is aware of the recent vulnerability CVE-2022-42889, a remote code execution flaw in the Apache Common Text library. Apache Commons Text is an open-source library that performs variable interpolation, allowing properties to be dynamically evaluated and expanded. This is a newly discovered flaw that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.

    Impact: Affects Apache Commons Text version 1.5 - 1.9, wherein a set of default Lookup instances includes interpolators allowing arbitrary code execution and remote server connections.

    Targets: All Jaspersoft products

    Available Hotfixes

    Hotfixes are available for the following versions of JasperReports Server:

    Fix for JasperReports Server 7.8, 7.9, 8x

    Upgrade to Apache version 1.10, which disables problematic interpolators and to eliminate any threats associated with possible Text4shell exploitation.

    1. Manually replace the old commons-te‎xt-1.8.jar or commons-te‎xt-1.9.jar with commons-tex‎t-1.10.0.jar, which can be found at Maven Repository: https://mvnrepository.com/artifact/org.apache.commons/commons-text/1.10.0

    2. Replace the jar at tomcat/webapps/jasperserver-pro/WEB-INF/lib

    and in buildomatic: <js-install>/buildomatic/lib

    References

    Document History

    • Version 1.0 (Oct 24, 2022): Initial vulnerability report published. 
    • Version 2.0 (Oct 25, 2022): Added available hotfixes.
    • Version 2.1 (Oct 31, 2022): Updated Step 1.

     

     Share
    Go to entries

    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...

© 2024 Cloud Software Group,
Inc. All rights reserved.

Products

Explore