TIBCO JasperReports Server User Information Disclosure

  Original release date: March 6, 2019
  Last revised: --
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3
  TIBCO JasperReports Server version 7.1.0

  TIBCO JasperReports Server Community Edition versions 7.1.0 and below

  TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below

  TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below

  TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below

  The following components are affected:

    * REST API


Description

  The component listed above contains a vulnerability that theoretically allows
  unauthenticated users to bypass authorization checks for portions of the
  HTTP interface to the JasperReports Server.


Impact

  The impact of this vulnerability includes the theoretical possibility of
  unauthenticated read access to the contents of the host system, when combined
  with the vulnerability identified by CVE-2018-18809.

  CVSS v3 Base Score: 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


Solution

  TIBCO has released updated versions of the affected components which address
  these issues.

  For each affected system, update to the corresponding software versions:

  TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3 update to
    version 6.4.4 or higher
  TIBCO JasperReports Server version 7.1.0 update to version 7.1.1 or higher

  TIBCO JasperReports Server Community Edition versions 7.1.0 and below
    update to version 7.1.1 or higher

  TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below
    update to version 6.4.4 or higher

  TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below
    update to version 7.1.1 or higher

  TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below
    update to version 7.1.1 or higher


Acknowledgments

  TIBCO would like to extend its appreciation to Steven Seeley (mr_me) of
  Source Incite working with Trend Micro Zero Day Initiative for discovery of
  this vulnerability.


References

  http://www.tibco.com/services/support/advisories
  CVE-2018-18815
  See also: CVE-2018-18809