Security Advisory Regarding TIBCO JasperReports

Products	Versions
TIBCO JasperReports Server	8.0.1 and below
TIBCO JasperReports IO - At-Scale Edition	-
TIBCO JasperReports Server for ActiveMatrix BPM	7.9.2 and below

Description

TIBCO JasperReports Server Reflected Cross Site Scripting (XSS) vulnerability

Original release date: May 17, 2022
Last revised: ---
Source: TIBCO Software Inc.

Description

The component listed above contains difficult to exploit Reflected Cross Site
Scripting (XSS) vulnerabilities that allow a low privileged attacker with
network access to execute scripts targeting the affected system or the
victim's local system.

Impact

In the worst case, if the victim is a privileged administrator, successful
execution of these vulnerabilities can result in an attacker gaining full
administrative access to the affected system.

CVSS v3 Base Score: 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)

Issue/Introduction

Security Advisory Regarding TIBCO JasperReports Server Reflected Cross Site Scripting (XSS) vulnerability

Environment

Products Affected TIBCO JasperReports Server versions 8.0.1 and below TIBCO JasperReports Server - Community Edition versions 8.0.1 and below TIBCO JasperReports Server - Developer Edition versions 8.0.0 and below TIBCO JasperReports Server for AWS Marketplace versions 8.0.1 and below TIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.2 and below TIBCO JasperReports Server for Microsoft Azure versions 8.0.1 and below The following component is affected: * REST API

Resolution

TIBCO has released updated versions of the affected systems which address this
issue:

TIBCO JasperReports Server versions 8.0.1 and below: update to version 8.0.2
or later

TIBCO JasperReports Server - Community Edition versions 8.0.1 and below:
update to version 8.0.2 or later

TIBCO JasperReports Server - Developer Edition versions 8.0.0 and below:
update to version 8.0.2 or later

TIBCO JasperReports Server for AWS Marketplace versions 8.0.1 and below:
update to version 8.0.2 or later

TIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.2 and below:
This product is deprecated and should be uninstalled

TIBCO JasperReports Server for Microsoft Azure versions 8.0.1 and below:
update to version 8.0.2 or later

If an upgrade is not possible, browser rendering of the rest-api responses in
html & xml format can be disabled by restricting content type headers.
Instructions on restricting content type headers may be found below:

You can prevent browser rendering of the rest-api responses in html & xml format by restricting content type headers.

To configure this restriction in:

TIBCO JasperReports Server
TIBCO JasperReports Server for ActiveMatrix BPM
TIBCO JasperReports Server for AWS Marketplace
TIBCO JasperReports Server for Microsoft Azure

- open .../jasperserver-pro/WEB-INF/applicationContext-rest-services.xml

- find <util:map id="contentTypeMapping">

- change the following entries:

to:

To configure this restriction in:

TIBCO JasperReports Server - Community Edition

- open .../jasperserver/WEB-INF/applicationContext-rest-services.xml

- find <util:map id="contentTypeMapping">

- change the following entries:

to:

Additional Information

Acknowledgments

TIBCO would like to extend its appreciation to Mohamed Rezgui for discovery of
this vulnerability.

References

https://www.tibco.com/services/support/advisories
CVE-2022-22773

Welcome to "KB Articles"