Important Note: We will keep this page updated as more information becomes available.
Overview
TIBCO is aware of the recently announced Java Spring Framework vulnerability (CVE-2022-22965), referred to as “Spring4Shell”. This is a newly discovered remote code execution flaw that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.
This vulnerability is distinct from CVE-2022-22963 for Spring Cloud Function which was also announced recently. Jaspersoft products do not use Spring Cloud Function and are not affected by CVE-2022-22963.
Impact: Spring MVC [model–view–controller] and Spring WebFlux applications running on JDK [Java Development Kit] 9+.
Targets: All Jaspersoft products and anything using the Spring framework. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general and there may be other ways to exploit it.
The sections below describe the affected products and versions.
TIBCO Jaspersoft products/versions with vulnerable Spring Framework code:
Product | Affected Versions |
JasperReports Server Pro | 7.5.x, 7.8.x, 7.9.x, 8.0.x |
JasperReports Server Community Edition | 7.5.x, 7.8.x, 8.0.x |
Jasperreports Server for AWS | 7.5.x, 7.8.x, 7.9.x, 8.0.1 |
Jasperreports Server for Azure | 7.9.x. 8.0.1 |
JasperReports IO Pro | 1.3.0, 2.0.0, 3.0.x |
JasperReports IO At-Scale | 2.0.0, 3.0.x |
Jaspersoft Studio Pro | 7.5.x, 7.8.x, 7.9.0, 8.0.x Note: To address vulnerability in JSS 7.5.x and 7.8.x, TIBCO recommends upgrading to the latest version of Jaspersoft Studio, which is backward compatible. |
Jaspersoft Studio Community Edition | 6.19.x |
Scalable Query Engine | 8.0.0 |
Available Hotfixes
Hotfixes are available for the following products and versions. Please note that these hotfixes are only available to TIBCO customers and users with Support Portal access.
- JRS 8.0.1: https://support.tibco.com/s/hotfixes?id=a014z00000yUJmhAAG (compatible with any previous build of JRS 8.0.0 and 8.0.1) (download)
- JRS 7.9.2: https://support.tibco.com/s/hotfixes?id=a014z00000zSzGGAA0 (compatible with any previous build of JRS 7.9.0, 7.9.1 or 7.9.2) (download)
- JRS 7.8.1: https://support.tibco.com/s/hotfixes?id=a014z00000yU9caAAC (download)
- JRS 7.5.2: https://support.tibco.com/s/hotfixes?id=a014z00000yU9cVAAS (download)
- JSS 8.0.1: https://support.tibco.com/s/hotfixes?id=a014z00000zSzFIAA0
- JSS 7.9.0: https://support.tibco.com/s/hotfixes?id=a014z00000yTuU3AAK
- JRIO Pro 2.0.0: https://support.tibco.com/s/hotfixes?id=a014z00000yUBW6AAO
- JRIO At-Scale 2.0.0: https://support.tibco.com/s/hotfixes?id=a014z00000yUBWBAA4
AWS Fix for JasperReports Server
Note: This fix is applicable only if you installed JasperReports Server on AWS using the CloudFormation template; for other installation types, use the available cumulative hotfix and execute standard installation steps mentioned in the Readme.
1. Download and upload the Spring_aws_fix.sh to the Amazon S3 JasperReports customization bucket under the webapps/jasperserver-pro/WEB-INF folder, create such directory structure if not yet created.
Note: The S3 bucket referred to here is generated when you generate the stack/instance. The S3 bucket name is available in the Cloud Formation Stack output tab. You can search the S3 buckets by date, to see when the latest S3 buckets were generated.
2. Download the cumulative_hotfix.zip, unzip it and extract WEB-INF/lib from jasperserver-pro.zip. Upload all the new Spring jars to the same Amazon S3 JasperReports customization bucket under webapps/jasperserver-pro/WEB-INF/lib (create lib folder if not yet created).
3. Update the CloudFormation Template (CFT) with the following changes under the AWS::CloudFormation::Init section of LaunchConfig after the pullCustomizations config:
"springJarsFix": {
"cwd" : "/var/lib/tomcat/webapps/jasperserver-pro/WEB-INF/",
"command" : { "Fn::Join" : [" ",
["sudo systemctl stop tomcat && chmod +x Spring_aws_fix.sh && ./Spring_aws_fix.sh && systemctl start tomcat "]
]
},
"ignoreErrors" : "true"
},4. Also, under the Restart section, add the springJarsFix after 4-pullCustomizations to the commands list. For example:
commands" : ["4-pullCustomizations","springJarsFix","5-WriteInitializationMarker"...]
5. Update the CloudFormation stack by uploading the modified CloudFormation template, then wait until the CloudFormation Update completes.
6. Reboot all running instances.
After performing above steps, the old Spring jars will be replaced by new ones (from the hotfix) under /var/lib/tomcat/webapps/jasperserver-pro/WEB-INF.
Azure Fix for JasperReports Server
If you installed JasperReports Server on Azure, use the available cumulative hotfix and execute standard installation steps mentioned in the Readme.
References
- For more information, see the TIBCO Spring Security Daily Update.
- CVE-2022-22965
- VMWare Tanzu Vulnerability Report: https://tanzu.vmware.com/security/cve-2022-22965
- Spring Blog: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- Talend Security Advisories: https://www.talend.com/security/incident-response/#spring4shell
Document History
- Version 1.0 (April 1, 2022): Initial vulnerability report published.
- Version 1.1 (April 1, 2022): Added Talend Security Advisories reference link.
- Version 2.0 (April 3, 2022): Removed JasperReports Library Pro/Community Edition from affected Jaspersoft products list.
- Version 3.0 (April 5, 2022): Added Mitigation section.
- Version 4.0 (April 6, 2022): Added Available Hotfixes section and hotfixes for JRS 8.0.1, JRS 7.9.2.
- Version 5.0 (April 6, 2022): Updated Available Hotfixes section (added JSS 7.9.0, JSS 8.0.1, JRIO Pro 2.0.0).
- Version 6.0 (April 7, 2022): Added AWS Fix for JasperReports Server section, and downloadable .sh zip file.
- Version 6.1 (April 8, 2022): Removed instructions for manually updating drivers (not needed).
- Version 7.0 (April 8, 2022): Added Azure Fix for JasperReports Server section; added JRIO At-Scale 2.0.0 Hotfix link; updated Talend Spring Security Advisory link.
- Version 7.1 (April 11, 2022): Added compatibility notes for hotfixes.
- Version 8.0 (April 20, 2022): Updated Available Hotfixes section (JRS 7.8.1, JRS 7.5.2)
- Version 8.1 (April 20, 2022): Removed Mitigation section.
- Version 9.0 (May 12, 2022): Added recommendation for JSS 7.5.x and 7.8.x users to upgrade to the latest version of Jaspersoft Studio (which is backwards compatible) to address vulnerability.
- Version 9.1 (May 18, 2022): Added downloadable Hotfix zip files for JRS 8.0.1, JRS 7.9.2, JRS 7.8.1, JRS 7.5.2.
hotfix_jrspro7.5.2_cumulative_20220418_2241.zip
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now