Jaspersoft is aware of the recent vulnerability CVE-2022-42889, a remote code execution flaw in the Apache Common Text library. Apache Commons Text is an open-source library that performs variable interpolation, allowing properties to be dynamically evaluated and expanded. This is a newly discovered flaw that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.

Impact: Affects Apache Commons Text version 1.5 - 1.9, wherein a set of default Lookup instances includes interpolators allowing arbitrary code execution and remote server connections.

NOTE: This vulnerability has been modified and is currently undergoing reanalysis. Please check back soon to view the updated vulnerability summary. Jaspersoft will keep this page updated as more information becomes available.

AVAILABLE HOTFIXES
The recommended solution is to apply the latest hotfix for your corresponding JasperReports Server version. Hotfixes are available for the following versions of JasperReports Server:

• JRS 8.0.x (LTS release): https://support.tibco.com/s/hotfixes?id=a014z00000yefQrAAI
• JRS 8.1.0 (Mainstream release): https://support.tibco.com/s/hotfixes?id=a014z00000yk3Z0AAI

1. Manually replace the old commons-te‎xt-1.9.jar with commons-tex‎t-1.10.0.jar, which can be found at Maven Repository: https://mvnrepository.com/artifact/org.apache.commons/commons-text/1.10.0

2. Replace the jar at tomcat/webapps/jasperserver-pro/WEB-INF/lib

and in buildomatic: <js-install>/buildomatic/lib

• CVE-2022-42889
• Maven Repository for Commons Text 1.10.0: https://mvnrepository.com/artifact/org.apache.commons/commons-text/1.10.0