Jump to content
We've recently updated our Privacy Statement, available here ×

  • Xalan Vulnerability Update for Jaspersoft Products

    jpadre

    By jpadre

      • Features: JasperReports Server Version: v8 Product: JasperReports® Server
     Share

    TIBCO is aware of the recently announced Apache Xalan vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2022-34169). 

    Description

    The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. 

    Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

    Impact

    Successful exploitation of this vulnerability could potentially allow an attacker to execute arbitrary Java bytecode.

    Affected Products

    Currently, JasperReports Server 8.0.x and 8.1.x, and JasperReports Library 3.0.x and 3.1.x, ship with xalan-2.7.2.jar, which has CVE-2022-34169.

    Mitigation

    To manually remove Xalan from deployment:
    1. Go into the deployed JasperReports Server, for example: tomcat/webapps/jasperserver-pro
    2. Manually delete the following libraries:

      tomcat/webapps/jasperserver-pro/WEB-INF/lib/xalan-2.7.2.jar
  tomcat/webapps/jasperserver-pro/WEB-INF/lib/serializer-2.7.2.jar

    3. Go to tomcat/webapps/jasperserver-pro/META-INF and create a services folder.
    4. Under tomcat/webapps/jasperserver-pro/META-INF/services, create two files:

      tomcat/webapps/jasperserver-pro/META-INF/services/javax.xml.transform.TransformerFactory
  tomcat/webapps/jasperserver-pro/META-INF/services/javax.xml.xpath.XPathFactory

    5. Add impl classes that will be used for factories:
    a. Into file javax.xml.transform.TransformerFactory, add one line:
    net.sf.saxon.TransformerFactoryImpl

    b. Into file javax.xml.xpath.XPathFactory add one line:
    net.sf.saxon.xpath.XPathFactoryImpl

    6. Edit tomcat/webapps/jasperserver-pro/WEB-INF/classes/jasperreports.properties, add new property:
    net.sf.jasperreports.xpath.executer.factory=net.sf.jasperreports.engine.util.xml.JaxenXPathExecuterFactory

    Note: After these modifications, old (deprecated) OLAP Views will stop working, but OLAP connections can be used and will work fine in AdHoc Views and Reports. A permanent fix will be delivered later and should resolve issue with non-working OLAP Views.

    Document History

    - Version 1.0 (Sept 12, 2022): Initial vulnerability report published.
     

     

     Share
    Go to entries

    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...

© 2024 Cloud Software Group,
Inc. All rights reserved.

Products

Explore