SECURITY VULNERABILITIES IN JASPER CE 6.1.0
During the testing of jasperreports-server-cp, version 6.1.0 we found that it uses the below libraries:
standard-1.1.2.jar (Security vulnerability CVE-2015-0254)
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag. <a href="http://cwe.mitre.org/data/definitions/611.html" target="_blank">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>
Recommended upgrade is to use taglibs-standard-impl-1.2.3.jar or later.
c3p0-0.9.1.1.jar (Security vulnerability CVE-2019-5427)
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
Details here :
Recommended upgrade is to use c3p0-0.9.5.4.jar or later.
We noticed that the latest version of the jasperreports-server-cp, version 7.2.0 also uses vulnerable jars standard-1.1.2.jar and c3p0-0.9.1.1.jar.
Hence currently there is NO jasper release that we can upgrade to (that addresses these issues).
Few queries to the jasper community:
1) Are there any plans to upgrade the above vulnerable jars in the coming releases of the jasper reports server CE ?
2) Could you recommend any workaround to circumvent the security problems until the upgrade of jars happen ?