Apache Commons Text Library Vulnerability for Jaspersoft Products

Important Note

UNDERGOING REANALYSIS

This vulnerability has been modified and is currently undergoing reanalysis. Please check back soon to view the updated vulnerability summary. Jaspersoft will keep this page updated as more information becomes available.

Overview

Jaspersoft is aware of the recent vulnerability CVE-2022-42889, a remote code execution flaw in the Apache Common Text library. Apache Commons Text is an open-source library that performs variable interpolation, allowing properties to be dynamically evaluated and expanded. This is a newly discovered flaw that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.

Impact: Affects Apache Commons Text version 1.5 - 1.9, wherein a set of default Lookup instances includes interpolators allowing arbitrary code execution and remote server connections.

Targets: All Jaspersoft products

Available Hotfixes

Hotfixes are available for the following versions of JasperReports Server:

Fix for JasperReports Server 7.8, 7.9, 8x

Upgrade to Apache version 1.10, which disables problematic interpolators and to eliminate any threats associated with possible Text4shell exploitation.

1. Manually replace the old commons-te‎xt-1.8.jar or commons-te‎xt-1.9.jar with commons-tex‎t-1.10.0.jar, which can be found at Maven Repository: https://mvnrepository.com/artifact/org.apache.commons/commons-text/1.10.0

2. Replace the jar at tomcat/webapps/jasperserver-pro/WEB-INF/lib

and in buildomatic: <js-install>/buildomatic/lib

References

Document History

  • Version 1.0 (Oct 24, 2022): Initial vulnerability report published. 
  • Version 2.0 (Oct 25, 2022): Added available hotfixes.
  • Version 2.1 (Oct 31, 2022): Updated Step 1.

 

Feedback
randomness