akshaya_hebbar

Please help/guide with the above question. Any pointers will be very helpful. Please help. Thanks in advance.

I am currently trying to upgrade JasperReports Server Community Edition from version 6.1.0 to version 7.5.0. Upgrade guide for JasperReports Server Community Edition version 7.5.0, mentions that, https://community.jaspersoft.com/documentation/tibco-jasperreports-server-community-project-upgrade-guide/v750/upgrading In section, "Upgrading from 6.3.x or Earlier", If you're running JasperReports Server version 6.3.x or earlier, your upgrade requires multiple steps. If you're running JasperReports Server 4.5 through 6.3.x: 1. Upgrade to the latest version of 6.4.x. 2. Upgrade from 6.4.x to version 7.5. From the above notes in the upgrade guide of version 7.5.0, If I need to upgrade my JasperReports Server Community Edition from version 6.1.0 to 7.5.0, It is a 2 step process, first upgrade 6.1.0 to 6.4.3 and then upgrade 6.4.3 to 7.5.0. But I tried to skip the 2 step approach and tried directly upgraded from 6.1.0 to 7.5.0 and the upgrade process went fine without any errors and the functionality also seems to work fine after the upgrade. My question to Jasper community, Is the two step process really required if I need to upgrade from 6.1.0 to 7.5.0? Will directly upgrading from 6.1.0 to 7.5.0 cause any issues/problems?

The complete command to be executed in step Exporting Current Repository Data is, (https://community.jaspersoft.com/documentation/tibco-jasperreports-server-community-project-upgrade-guide/v750/upgrading-64-71-75) js-export-ce.sh --everything --output-zip js-7.1-export.zip --genkey If your advice is to use js-export.sh instead of js-export-ce.sh, then that does not work either, ./js-export.sh --everything --output-zip js-export.zip --genkey fails with the below error, "Option genkey is not recognized." The above error is because js-export.sh does not support --genkey option. Mention of both script js-export-ce.sh and option --genkey in the upgrade guide cannot be a typo.

As mentioned earlier in the question/ticket, I am using or trying to upgrade "community edition" of JasperReports Server and I cannot find script js-export-ce, in community edition of JasperReports Server 6.4.3. I am following the upgrade guide for community edition and the upgrade guide asks me to use script js-export-ce, which is not present in jasper server installation version 6.4.3(also not present in version 6.4.0 or 7.5.0) https://community.jaspersoft.com/documentation/tibco-jasperreports-server-community-project-upgrade-guide/v750/upgrading-64-71-75

I am following steps described in the below upgrade guide link to upgrade from jasper reports server community edition 6.4.3 to 7.5.0, https://community.jaspersoft.com/documentation/tibco-jasperreports-server-community-project-upgrade-guide/v750/upgrading-64-71-75 While trying to execute command in section, Exporting Current Repository Data, I am not able to locate script, js-export-ce.sh in jasper server installation 6.4.3. js-export-ce.sh --everything --output-zip js-export.zip --genkey I also noticed that the script js-export-ce.sh is also not present in jasper server installation 6.4.0 either. Please help me locate the script js-export-ce.sh. Cannot use the script js-export.sh instead of js-export-ce.sh, because script js-export.sh does not support the --genkey option and the genkey option seems to be important as the same will be later used for upgrade to 7.5.

The answer given by swood_1 only applies to CVE-2019-14439. Other vulnerabilities CVE-2019-12086, CVE-2019-12814, CVE-2019-12384, CVE-2019-14379 are still not answered. Not getting an option to comment to his answer, so adding a comment here.

SECURITY VULNERABILITIES WITH jackson-databind-2.1.4.jar IN JASPER CE 6.1.0 During the testing of jasperreports-server-cp, version 6.1.0 we found that it uses the library jackson-databind-2.1.4.jar which has the below mentioned vulnerabilities. CVE-2019-12086 : A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. More details : https://nvd.nist.gov/vuln/detail/CVE-2019-12086 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086 CVE-2019-12814 : A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. More details : https://nvd.nist.gov/vuln/detail/CVE-2019-12814 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814 CVE-2019-12384 : FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. More details : https://nvd.nist.gov/vuln/detail/CVE-2019-12384 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384 CVE-2019-14379: SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution. More details : https://nvd.nist.gov/vuln/detail/CVE-2019-14379 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379 CVE-2019-14439 : A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. More details : https://nvd.nist.gov/vuln/detail/CVE-2019-14439 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439 Recommended upgrade is to use jackson-databind-2.9.9.3.jar or later. We noticed that the latest version of the jasperreports-server-cp, version 7.2.0 also uses vulnerable jar jackson-databind-2.9.8.jar. Hence currently there is NO jasper release that we can upgrade to (that addresses above issues). Queries: 1) Are there any plans to upgrade the above vulnerable jar in the coming releases of the jasper reports server CE ? 2) Could you recommend any workaround to circumvent the security problems until the upgrade of jar happen ? Have also sent a note to security@tibco.com regarding the above vulnerabilities.

SECURITY VULNERABILITIES IN JASPER CE 6.1.0 During the testing of jasperreports-server-cp, version 6.1.0 we found that it uses the below libraries: standard-1.1.2.jar (Security vulnerability CVE-2015-0254) Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag. <a href="http://cwe.mitre.org/data/definitions/611.html" target="_blank">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a> Details here : https://nvd.nist.gov/vuln/detail/CVE-2015-0254 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254 https://www.cvedetails.com/cve/CVE-2015-0254/ Recommended upgrade is to use taglibs-standard-impl-1.2.3.jar or later. c3p0-0.9.1.1.jar (Security vulnerability CVE-2019-5427) c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. Details here : https://nvd.nist.gov/vuln/detail/CVE-2019-5427 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427 https://www.cvedetails.com/cve/CVE-2019-5427/ Recommended upgrade is to use c3p0-0.9.5.4.jar or later. We noticed that the latest version of the jasperreports-server-cp, version 7.2.0 also uses vulnerable jars standard-1.1.2.jar and c3p0-0.9.1.1.jar. Hence currently there is NO jasper release that we can upgrade to (that addresses these issues). Few queries to the jasper community: 1) Are there any plans to upgrade the above vulnerable jars in the coming releases of the jasper reports server CE ? 2) Could you recommend any workaround to circumvent the security problems until the upgrade of jars happen ?