The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. 

Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

To manually remove Xalan from deployment:
1. Go into the deployed JasperReports Server, for example: tomcat/webapps/jasperserver-pro
2. Manually delete the following libraries:

<span style="font-size:12px">  tomcat/webapps/jasperserver-pro/WEB-INF/lib/xalan-2.7.2.jar
  tomcat/webapps/jasperserver-pro/WEB-INF/lib/serializer-2.7.2.jar</span>

3. Go to tomcat/webapps/jasperserver-pro/META-INF and create a services folder.
4. Under tomcat/webapps/jasperserver-pro/META-INF/services, create two files:

<span style="font-size:12px">  tomcat/webapps/jasperserver-pro/META-INF/services/javax.xml.transform.TransformerFactory
  tomcat/webapps/jasperserver-pro/META-INF/services/javax.xml.xpath.XPathFactory</span>

5. Add impl classes that will be used for factories:
a. Into file javax.xml.transform.TransformerFactory, add one line:
net.sf.saxon.TransformerFactoryImpl

b. Into file javax.xml.xpath.XPathFactory add one line:
net.sf.saxon.xpath.XPathFactoryImpl

6. Edit tomcat/webapps/jasperserver-pro/WEB-INF/classes/jasperreports.properties, add new property:
net.sf.jasperreports.xpath.executer.factory=net.sf.jasperreports.engine.util.xml.JaxenXPathExecuterFactory

IMPACT TO FUNCTIONALITY
After these modifications, old (deprecated) OLAP Views will stop working, but OLAP connections can be used and will work fine in AdHoc Views and Reports. A permanent fix will be delivered later and should resolve issue with non-working OLAP Views.