TIBCO JasperReports Server credentials disclosure

  Original release date: November 15, 2017
  Last revised: --
  Source: TIBCO Software Inc.

Description

  The JasperReports components listed above contain a vulnerability which
  fails to prevent remote access to all the contents of the web application,
  including key configuration files.
 
 
Impact

  The impact includes the possible access to web application configuration
  files that contain the credentials used by the server. Those credentials
  could then be used to affect external systems accessed by the JasperReports
  Server.

  CVSS v3 Base Score: 9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)

 

Systems Affected TIBCO JasperReports Server version 6.4.0 TIBCO JasperReports Server Community Edition version 6.4.0 TIBCO JasperReports Server for ActiveMatrix BPM version 6.4.0 TIBCO Jaspersoft for AWS with Multi-Tenancy version 6.4.0 TIBCO Jaspersoft Reporting and Analytics for AWS version 6.4.0 The following components are affected: Server content cache

 TIBCO has released updated versions of the affected components which address
  these issues.

  For each affected system, update to the corresponding software versions:

  TIBCO JasperReports Server versions 6.4.0 update to version 6.4.2 or higher

  TIBCO JasperReports Server Community Edition version 6.4.0 update to
    version 6.4.2 or higher

  TIBCO JasperReports Server for ActiveMatrix BPM version 6.4.0 update to
    version 6.4.2 or higher

  TIBCO Jaspersoft for AWS with Multi-Tenancy version 6.4.0 update to
    version 6.4.2 or higher
  
  TIBCO Jaspersoft Reporting and Analytics for AWS version 6.4.0 update to
    version 6.4.2 or higher
 

Security Advisory for TIBCO JasperReports Server

http://www.tibco.com/services/support/advisories
  CVE: CVE-2017-5533