SECURITY VULNERABILITIES IN JASPER CE 6.1.0

0

SECURITY VULNERABILITIES IN JASPER CE 6.1.0

During the testing of jasperreports-server-cp, version 6.1.0  we found that it uses the below libraries:

standard-1.1.2.jar (Security vulnerability CVE-2015-0254)

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag. <a href="http://cwe.mitre.org/data/definitions/611.html" target="_blank">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

Details here : 
       https://nvd.nist.gov/vuln/detail/CVE-2015-0254
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254
       https://www.cvedetails.com/cve/CVE-2015-0254/

Recommended upgrade is to use taglibs-standard-impl-1.2.3.jar or later.

 

c3p0-0.9.1.1.jar (Security vulnerability CVE-2019-5427)
 
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
     
Details here : 
      https://nvd.nist.gov/vuln/detail/CVE-2019-5427
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427
      https://www.cvedetails.com/cve/CVE-2019-5427/

Recommended upgrade is to use c3p0-0.9.5.4.jar or later.

 

We noticed that the latest version of the jasperreports-server-cp, version 7.2.0 also uses vulnerable jars standard-1.1.2.jar and c3p0-0.9.1.1.jar.

Hence currently there is NO jasper release that we can upgrade to (that addresses these issues).

Few queries to the jasper community:

1) Are there any plans to upgrade the above vulnerable jars in the coming releases of the jasper reports server CE ?
 
2) Could you recommend any workaround to circumvent the security problems until the upgrade of jars happen ?

akshaya_hebbar's picture
Joined: Jul 16 2019 - 2:53am
Last seen: 3 weeks 3 days ago

Don't quite have an answer for you, but you can start here: https://www.tibco.com/security

They refer to an email address: security@tibco.com

djohnson53 - 3 weeks 4 days ago

0 Answers:

No answers yet
Feedback