This vulnerability has been modified and is currently undergoing reanalysis. Please check back soon to view the updated vulnerability summary. Jaspersoft will keep this page updated as more information becomes available.
Jaspersoft is aware of the recent vulnerability CVE-2022-42889, a remote code execution flaw in the Apache Common Text library. Apache Commons Text is an open-source library that performs variable interpolation, allowing properties to be dynamically evaluated and expanded. This is a newly discovered flaw that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.
Impact: Affects Apache Commons Text version 1.5 - 1.9, wherein a set of default Lookup instances includes interpolators allowing arbitrary code execution and remote server connections.
Targets: All Jaspersoft products
Hotfixes are available for the following versions of JasperReports Server:
- JRS 8.0.x (LTS release): https://support.tibco.com/s/hotfixes?id=a014z00000yefQrAAI
- JRS 8.1.0 (Mainstream release): https://support.tibco.com/s/hotfixes?id=a014z00000yk3Z0AAI
Fix for JasperReports Server 7.8, 7.9, 8x
Upgrade to Apache version 1.10, which disables problematic interpolators and to eliminate any threats associated with possible Text4shell exploitation.
1. Manually replace the old commons-text-1.8.jar or commons-text-1.9.jar with commons-text-1.10.0.jar, which can be found at Maven Repository: https://mvnrepository.com/artifact/org.apache.commons/commons-text/1.10.0
2. Replace the jar at tomcat/webapps/jasperserver-pro/WEB-INF/lib
and in buildomatic: <js-install>/buildomatic/lib
- Maven Repository for Commons Text 1.10.0: https://mvnrepository.com/artifact/org.apache.commons/commons-text/1.10.0
- Version 1.0 (Oct 24, 2022): Initial vulnerability report published.
- Version 2.0 (Oct 25, 2022): Added available hotfixes.
- Version 2.1 (Oct 31, 2022): Updated Step 1.
Log in or register to post comments