Security Advisory for TIBCO JasperReports Server
Article ID: KB0108119
Updated On:
| Products | Versions |
|---|---|
| TIBCO JasperReports Server | 6.3.0, 6.2.0, 6.2.1, 6.1.1 and below |
Description
TIBCO JasperReports Server cross-site vulnerabilities
Original release date: June 28, 2017
Last revised: --
Source: TIBCO Software Inc.
Description
The JasperReports Server components listed above contain vulnerabilities
which may allow authorized users to perform cross-site scripting (XSS) and
cross-site request forgery (CSRF) attacks.
Impact
The impact of this vulnerability includes the theoretical disclosure of
sensitive information.
CVSS v3 Base Score: 5.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
Environment
Systems Affected
TIBCO JasperReports Server version 6.1.1 and below
TIBCO JasperReports Server version 6.2.0, and 6.2.1
TIBCO JasperReports Server version 6.3.0
TIBCO JasperReports Server Community Edition version 6.3.0 and below
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.2.0 and below
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 6.3.0 and below
TIBCO Jaspersoft Reporting and Analytics for AWS versions 6.3.0 and below
The following components are affected:
* jasperserver-api-metadata-impl family of JAR files
* jasperserver-war-jar family of JAR files
Resolution
Solution
TIBCO has released updated versions of the affected components which address
these issues.
For each affected system, update to the corresponding software versions.
For TIBCO JasperReports Server, upgrade
versions 6.1.1 and below to version 6.1.2 or higher,
versions 6.2.X to version 6.2.3 or higher,
versions 6.3.X to version 6.3.2 or higher.
For TIBCO JasperReports Server Community Edition, upgrade
to version 6.4.0 or higher.
For TIBCO JasperReports Server for ActiveMatrix BPM, upgrade
to version 6.4.0 or higher.
For TIBCO Jaspersoft for AWS with Multi-Tenancy, upgrade
to version 6.4.0 or higher
For TIBCO Jaspersoft Reporting and Analytics for AWS, upgrade
to version 6.4.0 or higher
TIBCO has released updated versions of the affected components which address
these issues.
For each affected system, update to the corresponding software versions.
For TIBCO JasperReports Server, upgrade
versions 6.1.1 and below to version 6.1.2 or higher,
versions 6.2.X to version 6.2.3 or higher,
versions 6.3.X to version 6.3.2 or higher.
For TIBCO JasperReports Server Community Edition, upgrade
to version 6.4.0 or higher.
For TIBCO JasperReports Server for ActiveMatrix BPM, upgrade
to version 6.4.0 or higher.
For TIBCO Jaspersoft for AWS with Multi-Tenancy, upgrade
to version 6.4.0 or higher
For TIBCO Jaspersoft Reporting and Analytics for AWS, upgrade
to version 6.4.0 or higher
Issue/Introduction
Security Advisory for TIBCO JasperReports Server
Additional Information
Acknowledgments
TIBCO would like to extend its appreciation to Paul Ionescu of
IBM Security X-Force Research, and Wen Bin Kong and Sven Schleier of
Vantage Point Security for discovery of these vulnerabilities.
References
http://www.tibco.com/services/support/advisories
http://docs.tibco.com/products/tibco-jasperreports-server
http://community.jaspersoft.com/project/jasperreports-server
CVE: CVE-2017-5528
TIBCO would like to extend its appreciation to Paul Ionescu of
IBM Security X-Force Research, and Wen Bin Kong and Sven Schleier of
Vantage Point Security for discovery of these vulnerabilities.
References
http://www.tibco.com/services/support/advisories
http://docs.tibco.com/products/tibco-jasperreports-server
http://community.jaspersoft.com/project/jasperreports-server
CVE: CVE-2017-5528
Feedback
Yes
No
Powered by
