TIBCO JasperReports Library Directory Traversal Vulnerability

  Original release date: March 6, 2019
  Last revised: --
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO JasperReports Library versions 6.3.4 and below
  TIBCO JasperReports Library versions 6.4.1, 6.4.2, and 6.4.21
  TIBCO JasperReports Library version 7.1.0
  TIBCO JasperReports Library version 7.2.0

  TIBCO JasperReports Library Community Edition versions 6.7.0 and below

  TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.21 and below

  TIBCO JasperReports Server versions 6.3.4 and below
  TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3
  TIBCO JasperReports Server version 7.1.0

  TIBCO JasperReports Server Community Edition versions 6.4.3 and below
  TIBCO JasperReports Server Community Edition version 7.1.0

  TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below

  TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below

  TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below

  The following components are affected:

    * default server implementation


Description

  The component listed above contains a directory-traversal vulnerability that
  may theoretically allow web server users to access contents of the host
  system.


Impact

  The impact of this vulnerability includes the theoretical possibility that
  a web server using the provided DefaultWebResourceHandler could expose
  details of the host system. The disclosed data could include credentials to
  access other systems.

  CVSS v3 Base Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


Solution

  TIBCO has released updated versions of the affected components which address
  these issues.

  For each affected system, update to the corresponding software versions:

  TIBCO JasperReports Library versions 6.3.4 and below update to
    version 6.3.5 or higher
  TIBCO JasperReports Library versions 6.4.1, 6.4.2, and 6.4.21 update to
    version 6.4.22 or higher
  TIBCO JasperReports Library version 7.1.0 update to version 7.1.1 or higher
  TIBCO JasperReports Library version 7.2.0 update to version 7.2.1 or higher

  TIBCO JasperReports Library Community Edition versions 6.7.0 and below
    update to version 6.7.1 or higher

  TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.21 and below
    update to version 6.4.22 or higher

  TIBCO JasperReports Server versions 6.3.4 and below update to version 6.3.5
    or higher
  TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3 update to
    version 6.4.4 or higher
  TIBCO JasperReports Server version 7.1.0 update to version 7.1.1 or higher

  TIBCO JasperReports Server Community Edition versions 7.1.0 and below
    update to version 7.1.1 or higher

  TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below
    update to version 6.4.4 or higher

  TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below
    update to version 7.1.1 or higher

  TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below
    update to version 7.1.1 or higher


Acknowledgments

  TIBCO would like to extend its appreciation to Elar Lang of Clarified
  Security and Sathish Kumar Balakrishnan from Cyber Security Works Pvt Ltd
  for discovery of this vulnerability.


References

  http://www.tibco.com/services/support/advisories
  CVE-2018-18809