akshaya_hebbar Posted July 23, 2019 Share Posted July 23, 2019 SECURITY VULNERABILITIES IN JASPER CE 6.1.0During the testing of jasperreports-server-cp, version 6.1.0 we found that it uses the below libraries:standard-1.1.2.jar (Security vulnerability CVE-2015-0254)Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag. <a href="http://cwe.mitre.org/data/definitions/611.html" target="_blank">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>Details here : https://nvd.nist.gov/vuln/detail/CVE-2015-0254 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254 https://www.cvedetails.com/cve/CVE-2015-0254/Recommended upgrade is to use taglibs-standard-impl-1.2.3.jar or later. c3p0-0.9.1.1.jar (Security vulnerability CVE-2019-5427) c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. Details here : https://nvd.nist.gov/vuln/detail/CVE-2019-5427 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427 https://www.cvedetails.com/cve/CVE-2019-5427/Recommended upgrade is to use c3p0-0.9.5.4.jar or later. We noticed that the latest version of the jasperreports-server-cp, version 7.2.0 also uses vulnerable jars standard-1.1.2.jar and c3p0-0.9.1.1.jar.Hence currently there is NO jasper release that we can upgrade to (that addresses these issues).Few queries to the jasper community:1) Are there any plans to upgrade the above vulnerable jars in the coming releases of the jasper reports server CE ? 2) Could you recommend any workaround to circumvent the security problems until the upgrade of jars happen ? Link to comment Share on other sites More sharing options...
djohnson53 Posted July 23, 2019 Share Posted July 23, 2019 Don't quite have an answer for you, but you can start here: https://www.tibco.com/securityThey refer to an email address: security@tibco.com Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now