TIBCO JasperReports XML Eternal Entity (XXE) vulnerability

  Original release date: October 12, 2021
  Last revised: November 2, 2021
  Source: TIBCO Software Inc.


Products Affected

  TIBCO JasperReports Server versions 7.2.1 and below

  TIBCO JasperReports Server versions 7.5.0 and 7.5.1

  TIBCO JasperReports Server version 7.8.0

  TIBCO JasperReports Server version 7.9.0

  TIBCO JasperReports Server - Community Edition versions 7.8.0 and below

  TIBCO JasperReports Server - Developer Edition versions 7.9.0 and below

  TIBCO JasperReports Server for AWS Marketplace versions 7.9.0 and below

  TIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.0 and below

  TIBCO JasperReports Server for Microsoft Azure version 7.8.0

  The following component is affected:

    * XMLA Connections


Description

  The component listed above contains a difficult to exploit vulnerability that
  allows a low privileged attacker with network access to interfere with XML
  processing in the affected component.


Impact

  Successful execution of this vulnerability can result in unauthorized read,
  update, insert or delete access to the affected systems data and the ability
  to cause a denial of service (DOS) on the affected system.

  CVSS v3 Base Score: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)


Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO JasperReports Server versions 7.2.1 and below update to version 7.2.2
    or later

  TIBCO JasperReports Server versions 7.5.0 and 7.5.1 update to version 7.5.2
    or later

  TIBCO JasperReports Server version 7.8.0 update to version 7.8.1 or later

  TIBCO JasperReports Server version 7.9.0 update to version 7.9.1 or later

  TIBCO JasperReports Server - Community Edition versions 7.8.0 and below
    update to version 7.8.1 or later

  TIBCO JasperReports Server - Developer Edition versions 7.9.0 and below
    update to version 7.9.1 or later

  TIBCO JasperReports Server for AWS Marketplace versions 7.9.0 and below
    update to version 7.9.1 or later

  TIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.0 and below
    update to version 7.9.1 or later

  TIBCO JasperReports Server for Microsoft Azure version 7.8.0 update to
    version 7.9.1 or later


Acknowledgments

  TIBCO would like to extend its appreciation to Dr. Florian Hauser, CODE WHITE
  GmbH for discovery of this vulnerability.

References

  https://www.tibco.com/services/support/advisories
  CVE-2021-35496